implement secure user authentication

Summary

This PR introduces a robust, secure authentication system for the backend
It enables user registration, login, and access token refresh functionality using JWT, bcrypt, Zod, and Prisma ORM

Implementation Details

Core Features

• User Registration
  • Validates inputs with Zod
  • Hashes passwords with bcrypt
  • Persists new users to the database
• Login
  • Verifies credentials
  • Returns JWT access token and refresh token
• Token Refresh
  • Validates stored refresh tokens
  • Generates new access token upon valid request
• Security Enhancements
  • Refresh tokens are hashed before saving to DB
  • Rate limiting on /auth endpoints
  • Role-based user model with enum Role { user, admin }

Database Models (Prisma)

• User
  • Stores credentials, role, and relations to refresh tokens
• RefreshToken
  • Tracks tokens per user with expiry and hashed value

New Files Added

• src/controllers/authController.ts – Core authentication logic
• src/utils/password.ts – Password hashing/comparison
• src/utils/jwt.ts – JWT generation and validation
• src/routes/auth.ts – Auth routes with rate limiter
• prisma/schema.prisma – Updated schema with relations and enums
• src/prisma/client.ts – Shared Prisma client instance

Setup & Migration Instructions

Before running or testing the API, ensure your environment is ready:

Install dependencies

pnpm install

Set up your .env file

Create a .env file in the backend/ directory with the following variables (use secure random secrets in production):

DATABASE_URL="file:./dev.db"
JWT_SECRET="your_super_secret_key"
REFRESH_TOKEN_SECRET="your_refresh_secret_key"
BCRYPT_SALT_ROUNDS=12
ACCESS_TOKEN_EXPIRATION=15m
REFRESH_TOKEN_EXPIRATION=7d
PORT=5000

Ensure .env and prisma/dev.db are listed in .gitignore*

Generate Prisma client

pnpm prisma generate

Apply database migrations

pnpm prisma migrate dev --name init

Start the development server

pnpm run dev

The backend will start on:

http://localhost:5000

Testing Instructions

1. Register a new user
   curl -X POST http://localhost:5000/api/auth/register
   -H "Content-Type: application/json"
   -d '{"email": "test@example.com", "password": "Password123!"}'

Expected Response:

{
  "message": "User registered",
  "userId": "<uuid>"
}

2. Log in to get access and refresh tokens

curl -X POST http://localhost:5000/api/auth/login \
  -H "Content-Type: application/json" \
  -d '{"email": "test@example.com", "password": "Password123!"}'

Expected Response:

{
  "accessToken": "<jwt_access_token>",
  "refreshToken": "<refresh_token>"
}

Copy the refreshToken, it will be needed in the next step

4. Refresh the access token

curl -X POST http://localhost:5000/api/auth/refresh \
  -H "Content-Type: application/json" \
  -d '{"token": "<refresh_token>"}'

Expected Response:

{
  "accessToken": "<new_jwt_access_token>"
}

Developer Notes

1. Passwords are hashed using bcrypt (never stored in plaintext).

2. Tokens are signed and verified using .env secrets.

3. Refresh tokens are stored hashed in the database for security.

4. Rate limiting is applied to prevent brute-force attacks.

5. i had to include one more file not in the requirement of the task so i could be able to use prisma

Prisma handles database schema and migrations.