A production-style authentication system built using Node.js, Express, MongoDB, Redis, and JWT.
This project demonstrates a secure backend authentication architecture including email OTP verification, refresh tokens, Redis session caching, and token blacklisting similar to real-world SaaS applications.
β User Registration β Email OTP Verification β Resend OTP β Secure Login β JWT Access Tokens β Refresh Token Rotation β Redis Session Caching β Access Token Blacklisting (Logout) β HTTP-only Refresh Token Cookies β Session Tracking (IP + User-Agent)
Client
β
βΌ
Express API (Node.js)
β
βββ MongoDB
β βββ Users
β βββ OTPs
β βββ Sessions
β
βββ Redis
βββ Session Cache
βββ Token Blacklist
Authentication Flow:
Register
β
OTP sent to Email
β
Verify Email
β
Login
β
Access Token (10 minutes)
Refresh Token (7 days)
β
Session stored in MongoDB
Session cached in Redis
Backend
- Node.js
- Express.js
Database
- MongoDB
- Redis
Authentication
- JSON Web Tokens (JWT)
- bcrypt
Email Service
- Nodemailer
Testing
- Postman
Auth-System
β
βββ src
β β
β βββ controllers
β β auth.controller.js
β β
β βββ models
β β user.model.js
β β session.model.js
β β otp.model.js
β β
β βββ routes
β β auth.routes.js
β β
β βββ config
β β config.js
β β cache.js
β β
β βββ services
β β email.service.js
β β
β βββ utils
β β utils.js
β β
β βββ server.js
β
βββ package.json
βββ README.md
Create a .env file in the root directory.
PORT=3000
MONGO_URI=your_mongodb_connection_string
JWT_SECRET=your_jwt_secret
JWT_EXPIRES_IN=7d
REDIS_URL=redis://127.0.0.1:6379
EMAIL_USER=your_email
EMAIL_PASS=your_email_passwordClone the repository
git clone https://github.com/ishanbhardwaj17/Authentication-SystemNavigate to the project directory
cd auth-systemInstall dependencies
npm installStart the development server
npm run devServer runs on
http://localhost:3000
POST /api/auth/registerBody
{
"username": "john",
"email": "john@example.com",
"password": "password123"
}POST /api/auth/verify-emailBody
{
"email": "john@example.com",
"otp": "123456"
}POST /api/auth/resend-otpBody
{
"email": "john@example.com"
}POST /api/auth/loginBody
{
"email": "john@example.com",
"password": "password123"
}Response
{
"accessToken": "JWT_TOKEN"
}Refresh token is stored in HTTP-only cookie.
GET /api/auth/meHeaders
Authorization: Bearer ACCESS_TOKENPOST /api/auth/refresh-tokenUses refresh token stored in cookie.
POST /api/auth/logoutHeaders
Authorization: Bearer ACCESS_TOKENActions performed:
- Blacklists access token in Redis
- Deletes session from MongoDB
- Clears refresh token cookie
β Password hashing with bcrypt β HTTP-only refresh token cookies β Access token expiration β Refresh token rotation β Redis token blacklist β Email OTP verification β Session tracking (IP + User-Agent)
Users
users
Stores user credentials and verification status.
OTP
otps
Stores hashed OTPs used for email verification.
Sessions
sessions
Stores refresh token hashes and session metadata.
You can import the Postman collection to test the API.
Location:
postman/auth-system-postman.json
Recommended flow:
1 Register
2 Verify Email
3 Login
4 Access Protected Route
5 Refresh Token
6 Logout
- Forgot Password / Reset Password
- Google OAuth Login
- OTP Rate Limiting
- Device-based session management
- Swagger API Documentation
Built as a backend authentication system project demonstrating modern authentication architecture using Node.js.
If you like this project, consider starring the repository.