A robust backend REST API built with Node.js, Express, and Neon Postgres, offering enterprise-grade security and authentication features.
- Secure User Authentication: Robust registration and login flows backed by BCrypt hashing.
- JWT & Refresh Token Rotation: Implements stateless, secure short-lived access tokens and secure, HTTP-only cookie-based refresh tokens.
- Advanced Session Management: Track all active user sessions across devices. Revoke individual sessions or logout from all devices instantly.
- Security Audit Logging: Comprehensive auditing of critical security events (logins, logouts, token refreshes, lockouts).
- Password Strength & History Enforcement: Uses
zxcvbnto prevent weak passwords and stores a rolling history to strictly prohibit recent password reuse. - Rate Limiting & Account Lockout: Protects against brute-force attacks by rate-limiting requests and automatically locking out accounts after 5 failed login attempts.
- Role-Based Access Control (RBAC): Protects administrative routes and ensures users can only access their authorized resources.
- Backend: Node.js, Express.js
- Database: PostgreSQL (Neon Serverless)
- Security: JSON Web Tokens (JWT), BCrypt, Zod (Input Validation), Zxcvbn (Password Strength), Express Rate Limit
POST /api/auth/register- Create a new accountPOST /api/auth/login- Authenticate and establish a sessionPOST /api/auth/refresh- Obtain a fresh access tokenPOST /api/auth/logout- Revoke the current active sessionPOST /api/auth/logout-all- Terminate all active sessions connected to the accountPOST /api/auth/change-password- Securely change an account's passwordGET /api/auth/sessions- Retrieve all active device sessionsGET /api/auth/audit-logs- Access personal security audit historyGET /api/auth/get-me- Retrieve current user details