Intermediate Lab2 - 3 Weeks Duration

Authentication System

Develop a secure client-server authentication system featuring login, signup, password hashing, JWT creation, dynamic role checks, and refresh tokens.

1. Project Overview

Develop a secure client-server authentication system featuring login, signup, password hashing, JWT creation, dynamic role checks, and refresh tokens.

2. Who Should Build This?

Backend and full-stack developers eager to master security pipelines, token lifecycles, and role-based route protection.

3. Business Requirement & Features

Business Objective

User data security is non-negotiable. The system must verify identities, store passwords securely using bcrypt hashing, issue JWT tokens stored in HttpOnly cookies, and block unauthorized endpoint access.

Core Features List

User Sign Up page with regex strength validation.
Login page issuing JWT access and refresh tokens.
Express authentication middleware checking headers and cookies.
Dynamic Role-Based Access Control protecting admin panels.
Secure token rotation and logout routes.

5. Tech Stack & 6. Folder Structure

Node.jsExpressTypeScriptJSONWebTokensPostgreSQL

auth-system/
├── src/
│   ├── middlewares/
│   │   ├── auth.ts               # Token checks
│   │   └── role.ts               # Role filters
│   ├── controllers/
│   │   └── authController.ts     # Login/Signup logic
│   ├── routes/
│   │   └── authRoutes.ts         # Endpoint paths
│   └── app.ts
└── package.json

7. Component Breakdown

`Auth Controller` Component

Handles registration, password hashing, and user credential validation.

`Token Handler` Component

Generates access/refresh tokens and runs token validations.

`Security Wall` Component

Middlewares verifying token existence and filtering role permissions.

8. API Contract & 9. Database Schema

REST API Interface Contract

POST /api/auth/login
Request:
{
  "email": "user@example.com",
  "password": "SecurePassword123"
}

Response (200 OK):
Cookie: token=<JWT_VALUE>; HttpOnly; Secure
{
  "success": true,
  "user": { "id": "u1", "role": "admin" }
}

PostgreSQL Database Schema

CREATE TABLE users (
  id VARCHAR(50) PRIMARY KEY,
  email VARCHAR(150) UNIQUE NOT NULL,
  password_hash VARCHAR(255) NOT NULL,
  role VARCHAR(20) DEFAULT 'user',
  created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP
);

10. Step-by-Step Phases

Phase 1: DB & Password Hashing Setup

Build users tables and write bcrypt helper utilities.

Phase 2: JWT Issuance & Login Route

Code the login/signup controllers and token helpers.

Phase 3: Cookie Authorization Middleware

Write verification middlewares protecting private routes.

Phase 4: Role RBAC & Refresh Tokens

Implement token rotations and role filter blocks.

13. Common Mistakes to Avoid

✕Storing JWT tokens in localStorage, exposing them to XSS attacks.
✕Using weak hashing algorithms (like MD5) instead of bcrypt.
✕Hardcoding secret token keys.

14. Senior Developer Advice

💡 Set short expiry times (15 mins) on access tokens.

💡 Enforce password strength validations.

11. Testing Checklist

0 / 4 Checked

12. Deployment Checklist

0 / 3 Checked

Explain in Interview Template

Pitching: Authentication System

Click on any question to view the recommended architectural response for technical interviews.

16. Future Enhancements

Support OAuth integrations (Google/GitHub).
Add email verification steps.

Loading content…