This project is an example of implementation of a user email authentication with Nestjs v8.4.6, MongoDB and PassportJs
It can be used as starter for a new project: it implements API for user sign-in/sign-up and features like email verification, forgotten password, reset password, update profile and settings.
Install nodejs and mongodb in your machine.
Install dependencies with npm and run the application:
npm install
npm run start
docker-compose up -d
It will generate 3 containers:
- nestjs: nodejs application -> localhost:3000 (you can change the port in the docker-compose.yml)
- mongodb: database -> expose 27017 in the container network but not reacheable from outside.
- mongo-express: a web-based MongoDB admin interface -> localhost:8081
You can edit the config is in docker-compose.yml.
β Note: For security reason, remember to change the db password in docker-compose.yml and in config.ts file, and to change the mongo-express password to access the console.
You can find a config.ts file in the root of the project.
Before run the server set your db configuration (according you are using docker or not) and your π§ Nodemailer options to be able to send emails for registration:
# Docker Example #
"db": {
"user": "root",
"pass": "example",
"host": "mongo",
"port": "27017",
"database": "testdb",
"authSource": "admin"
}
# Local nodejs Example #
"db": {
"user": null,
"pass": null,
"host": "localhost",
"port": "27017",
"database": "testdb",
"authSource": null
}
...
"host": {
"url": "<server-url>", //This link is used to redirect users to your server to confirm their email address (link via email)
"port": "3000"
},
...
"mail":{
"host": "<smtp-host>", //Nodemailer settings (go to the nodemailer documentation for further informations) - You need to set up this to make the signup api start working
"port": "<port>",
"secure": false,
"user": "<username>",
"pass": "<password>"
}
Server will listen on port 3000, and it expose the following APIs:
-
POST -
/auth/email/register- Register a new user- email - string
- password - string
- name - string (optional)
- surname - string (optional)
-
POST -
/auth/email/login- Login user- email - string
- password - string
-
GET -
/auth/email/verify/:token- Validates the token sent in the email and activates the user's account -
GET -
/auth/email/resend-verification/:email- Resend verification email -
GET -
/auth/email/forgot-password/:email- Send a token via email to reset the password -
POST -
/auth/email/reset-password- Change user password- newPassword - string
- newPasswordToken - string (token received by forgot-password api)
-
GET -
/auth/users- Returns all users (must be logged in) -
GET -
/users/user/:email- Returns selected user info (must be logged in) -
POST -
/users/profile/update- Update user info- name - string
- surname - string
- phone - string
- email - string
- birthdaydate - Date
- profilepicture - string (base64)
-
POST -
/users/gallery/update- Add/Remove user photos- email - string
- action - string ('add' or 'remove')
- newPhoto - object (only for case 'add')
- imageData - string (base64)
- description - string
- photoId - string (base64) (only for case 'remove')
-
POST -
settings/update- Update user settings- email - string
- settingsKey1 - string (Value1)
- settingsKey2 - string (Value2)
- ...
This project use JSON Web Token (JWT) Bearer Token as authentication strategy for Passport. The login API returns an access_token that you have to use to send a correct authorization header in calls that require authentication. You can find an example with postman here
Login response:
{
...
"data": {
"token": {
"expires_in": "3600",
"access_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...._DkYJJh4s"
},
...
}
Authorization header example:
Authorization β Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...._DkYJJh4s
All request and response are logged so this can help you to debug in production. If you use pm2 as process manager, I suggest you to install pm2-logrotate in your server.
The project implements some of nodejs security techniques :
- Helmet : can help protect your app from some well-known web vulnerabilities by setting HTTP headers appropriately
- Express Rate Limit: to protect your applications from brute-force attacks
- In the main.ts you can set a limit of requests in a time window (default is 100 requests in 15 minutes for all endpoints, and 3 requests in a 1 hour for sign up endpoint)
If you want to contribute to this starter, consider:
- Reporting bugs and errors
- Improve the documentation
- Creating new features and pull requests
All contributions are welcome!
Licensed under the MIT license.