π Educational project for learning authentication patterns with Express.js, sessions, and CSRF protection.
A production-ready authentication system built with Express.js, featuring session-based authentication, CSRF protection, rate limiting, comprehensive logging, and extensive testing. Perfect for learning modern web authentication patterns.
- π Session-based authentication with express-session
- π‘οΈ CSRF protection (Synchronizer Token Pattern)
- π¦ Redis session store for production scalability
- ποΈ MongoDB with Mongoose ODM
- π Winston + Morgan logging with chalk styling
- π§ͺ Comprehensive test suite with Jest & Supertest
- β¨ ESLint + Prettier for code quality
- π¦ Rate limiting to prevent brute force attacks
- π Password hashing with bcrypt
- π‘οΈ CORS configuration for cross-origin requests
- π Input validation with express-validator
- π Session regeneration on login (prevents fixation attacks)
- Runtime: Node.js 20+
- Framework: Express.js 5.x
- Database: MongoDB + Mongoose
- Session Store: Redis (connect-redis)
- Logging: Winston, Morgan, Chalk
- Testing: Jest + Supertest
- Code Quality: ESLint + Prettier
- Security: bcrypt, CSRF, rate limiting, CORS
- Node.js (v20 or higher)
- Docker & Docker Compose
- npm or yarn
# Clone repository
git clone https://github.com/n1kFord/session-auth.git
cd session-auth
# Install dependencies
npm install
# Copy environment variables
cp .env.example .env
# Start MongoDB and Redis
docker-compose up -d
# Run development server
npm run devPORT=8080
MONGO_URI=mongodb://localhost:27017/authDB
REDIS_CLIENT_URI=redis://localhost:6379
REDIS_SECRET=your-super-secret-key-heresession-auth/
βββ src/
β βββ config/ # DB, Redis, session config
β βββ middlewares/ # Auth, CSRF, validation, logging
β βββ models/ # User model
β βββ routers/ # /auth and /me endpoints
β βββ utils/ # Helpers (csrf, hash, session)
β βββ __tests__/ # Jest tests
β βββ index.js # Entry point
βββ logs/ # Winston log files
βββ docker-compose.yml
βββ Dockerfile
βββ package.json
- Winston β file + console logging with levels (error, warn, info, debug)
- Morgan β HTTP request logging integrated with Winston
- Chalk β colored console output for better readability
npm run lint # Check code style
npm run format # Auto-format with Prettier| Method | Endpoint | Description | CSRF |
|---|---|---|---|
| POST | /register |
Register user | β |
| POST | /login |
Login user | β |
| POST | /logout |
Logout user | β |
| Method | Endpoint | Description | CSRF |
|---|---|---|---|
| GET | / |
Get profile | β |
| POST | /change-email |
Change email | β |
| POST | /change-password |
Change password | β |
| POST | /change-username |
Change username | β |
| POST | /change-bio |
Change bio | β |
| DELETE | / |
Delete account | β |
# Register
curl -X POST http://localhost:8080/auth/register \
-H "Content-Type: application/json" \
-d '{"email":"user@example.com","password":"secret123","confirmPassword":"secret123"}'
# Login
curl -X POST http://localhost:8080/auth/login \
-H "Content-Type: application/json" \
-d '{"email":"user@example.com","password":"secret123"}'
# Get profile (with CSRF)
curl -X GET http://localhost:8080/me/ \
-H "X-XSRF-Token: your-csrf-token" \
-H "Cookie: sessionId=your-session-id"npm test# Start all services
docker-compose up -d
# Stop all services
docker-compose down- Session-based with HTTP-only cookies
- CSRF protection (Synchronizer Token Pattern)
- Rate limiting β 100 req/15min, 10 login attempts
- Password hashing with bcrypt
- Session regeneration on login
- Input validation with express-validator
This project is licensed under the MIT License.
Feel free to use, modify, and distribute with attribution.
π‘ Created with care by @n1kFord
β Star this repo if you found it helpful!