π Production-ready JWT authentication API with refresh tokens, CSRF protection, and Redis storage.
π Educational project for learning modern authentication patterns with Node.js.
- π JWT Access & Refresh Tokens with automatic rotation
- π‘οΈ CSRF Protection (Double Submit Cookie pattern)
- π¦ Redis for persistent refresh token storage
- π¦ Rate limiting to prevent brute force attacks
- πͺ΅ Winston + Morgan logging with chalk styling
- π§ͺ Comprehensive test suite with Jest & Supertest
- β¨ ESLint + Prettier for code quality
- π³ Docker Compose for easy development
- Runtime: Node.js 20+
- Framework: Express.js 5.x
- Database: MongoDB + Mongoose
- Cache: Redis (refresh tokens)
- Security: bcrypt, JWT, CSRF, rate limiting
- Logging: Winston, Morgan, Chalk
- Testing: Jest + Supertest
- Code Quality: ESLint + Prettier
- Node.js 20+
- Docker & Docker Compose
# Clone repository
git clone https://github.com/n1kFord/jwt-auth.git
cd jwt-auth
# Install dependencies
npm install
# Copy environment variables
cp .env.example .env
# Start MongoDB and Redis
docker-compose up -d
# Run development server
npm run devPORT=8080
MONGO_URI=mongodb://localhost:27017/authDB
REDIS_CLIENT_URI=redis://localhost:6379
JWT_SECRET=your-jwt-secret
JWT_REFRESH_SECRET=your-refresh-secretjwt-auth/
βββ src/
β βββ config/ # Configuration (DB, Redis, constants)
β βββ middlewares/ # Auth, CSRF, validation, logging
β βββ models/ # User model
β βββ routers/ # /auth and /me endpoints
β βββ store/ # Redis token storage
β βββ utils/ # Helpers (tokens, logger, hash, cookies)
β βββ __tests__/ # Jest tests
β βββ index.js # Entry point
βββ logs/ # Winston log files
βββ docker-compose.yml
βββ Dockerfile
βββ package.json
- Winston β file + console logging with levels (error, warn, info, debug)
- Morgan β HTTP request logging integrated with Winston
- Chalk β colored console output
npm run lint # Check code style
npm run format # Auto-format with Prettier| Method | Endpoint | Description | CSRF |
|---|---|---|---|
| POST | /register |
Register user | β |
| POST | /login |
Login user | β |
| POST | /refresh |
Refresh tokens | β |
| POST | /logout |
Logout | β |
| Method | Endpoint | Description | CSRF |
|---|---|---|---|
| GET | / |
Get profile | β |
| POST | /change-email |
Change email | β |
| POST | /change-password |
Change password | β |
| POST | /change-username |
Change username | β |
| POST | /change-bio |
Change bio | β |
| DELETE | / |
Delete account | β |
curl -X POST http://localhost:8080/auth/register \
-H "Content-Type: application/json" \
-d '{"email":"user@example.com","password":"secret123","confirmPassword":"secret123"}'curl -X POST http://localhost:8080/auth/login \
-H "Content-Type: application/json" \
-d '{"email":"user@example.com","password":"secret123"}'curl -X GET http://localhost:8080/me/ \
-H "x-csrf-token: your-csrf-token" \
-H "Cookie: token=access-token; XSRF-TOKEN=csrf-token"npm test# Start all services
docker-compose up -d
# Stop all services
docker-compose down| Variable | Description |
|---|---|
PORT |
Server port (default: 8080) |
MONGO_URI |
MongoDB connection string |
REDIS_CLIENT_URI |
Redis connection string |
JWT_SECRET |
Secret for access tokens |
JWT_REFRESH_SECRET |
Secret for refresh tokens |
- JWT with short-lived access tokens (15min) and long-lived refresh tokens (7d)
- Token rotation β new refresh token on each refresh
- CSRF protection β Double Submit Cookie pattern
- Rate limiting β 100 req/15min global, 10 login attempts
- HTTP-only cookies β prevents XSS attacks
- Bcrypt for password hashing
Contributions are welcome! Feel free to open issues and pull requests.
This project is licensed under the MIT License.
Feel free to use, modify, and distribute with attribution.
π‘ Created with care by @n1kFord
β Star this repo if you found it helpful!