This project implements a secure session-based authentication system using Node.js, Express, MongoDB, and other modern tools and libraries. It supports user authentication, role-based access control, session management, and password reset functionality.
- User Authentication:
- Register
- Login
- Logout
- Session Management:
- Secure sessions with expiration handling.
- Regenerate session IDs to prevent fixation attacks.
- Role-Based Access Control:
- Differentiate users based on roles (e.g., admin, user).
- Restrict access to specific routes based on roles.
- Password Management:
- Password hashing using bcrypt.
- Password reset functionality with validation.
- Rate Limiting:
- Protect routes from excessive API requests.
- Security Enhancements:
- CSRF protection.
- Helmet for setting secure HTTP headers.
- Input Validation with Joi:
- Validates user inputs for registration, login, and password reset to ensure data integrity and security.
- Node.js (v16 or later)
- MongoDB (v4.4 or later)
-
Clone the repository:
git clone https://github.com/letsbegincode/Session-Auth-js.git cd <repository-folder>
-
Install dependencies:
npm install
-
Create a
.envfile in the root directory with the following variables:MONGO_URI=mongodb://127.0.0.1:27017/users PORT=3000 SESSION_SECRET="secretKeyHaiye" NODE_ENV=development SECRET=secret MAX_AGE=40000 LOGIN_LIMIT=3 API_REQ_LIMIT_TIME=10000 PROFILE_LOCK_TIME=60000
-
Start the application:
npm start
-
For development mode with live reload:
npm run dev
POST /auth/signup
Request Body:
{
"username": "exampleUser",
"email": "example@example.com",
"password": "Password123",
"role": "user"
}Response:
- Success:
201 Created - Failure: Appropriate error message with status code.
POST /auth/login
Request Body:
{
"username": "exampleUser",
"password": "Password123"
}Response:
- Success:
200 OKwith session info. - Failure:
401 Unauthorizedor400 Bad Request.
POST /auth/logout
Response:
- Success:
200 OK. - Failure: Appropriate error message.
POST /auth/renew
Response:
- Success:
200 OK. - Failure: Appropriate error message.
POST /auth/reset
Request Body:
{
"username": "exampleUser",
"newPassword": "NewPassword123",
"confirmPassword": "NewPassword123"
}Response:
- Success:
200 OKwith confirmation message. - Failure: Appropriate error message.
GET /auth/data
Headers:
- Must include a valid session cookie.
Response:
- Success:
200 OKwith data. - Failure:
403 Forbiddenor401 Unauthorized.
Session Auth js/
|-- app.js
|-- models/
| |-- User.js
|-- routes/
| |-- authRoutes.js
|-- controllers/
| |-- authController.js
| |-- dataController.js
|-- middleware/
| |-- authMiddleware.js
| |-- sessionMiddleware.js
| |-- rateLimiter.js
|-- .env
|-- package.json
- Password Hashing: All passwords are hashed with bcrypt before being stored in the database.
- Session Security:
- Sessions are signed and stored securely.
- Session regeneration prevents fixation attacks.
- Rate Limiting: Protects against brute force and denial-of-service attacks.
- Input Validation: Validates all user inputs to prevent injection attacks using Joi.
bcrypt: Password hashing.body-parser: Parse incoming request bodies.connect-mongo: Store sessions in MongoDB.cookie-parser: Parse and manage cookies.cors: Enable cross-origin requests.csurf: Protect against CSRF attacks.dotenv: Manage environment variables.ejs: Templating engine.express: Web framework.express-rate-limit: Limit repeated requests.express-session: Manage user sessions.helmet: Secure HTTP headers.joi: Input validation.mongoose: MongoDB ODM.
nodemon: Auto-restart during development.
- Ensure MongoDB is running locally or update the
MONGO_URIin.envfor a cloud database. - For production, replace
SESSION_SECRETandSECRETwith strong, unique values. - Always validate user input on both client and server sides.