Welcome to the Strict Authentication Service, a secure and scalable backend authentication system engineered using Node.js, Express.js, and PostgreSQL, designed with industry-grade practices such as Rate Limiting, Single-Device Tracking, and Token Rotation (JWT). This project is structured with modularity, reusability, and production-readiness in mind, powered by real-world system design and software engineering principles.
- ๐ Introduction
- ๐งช Features
- ๐ง Tech Stack
- ๐ง Design Principles & Patterns
- ๐งฑ Folder Structure
- ๐ ๏ธ Environment Variables
- ๐ฆ Rate Limiting Logic
- ๐งช Testing Strategy
- ๐งฌ Planned Enhancements
- ๐ฏ Final Takeaway
This monolithic authentication backend is engineered to support:
- Secure account creation with single active session per user
- Refresh and access token generation with custom expiry
- Custom JWT validation middleware
- Admin auto-creation at server start
- Per-device rate limiting for brute-force prevention
- Intelligent logging for each action (e.g., sign in, sign out, register)
- APIs to block or unblock device access manually (admin-controlled)
The entry point for this project is server.js, where all major components are initialized including:
- PostgreSQL connection
- Admin account bootstrap
- Centralized route mounting
- Global error and 404 handling
- Cron job triggers
| ๐น Feature | โ Implemented |
|---|---|
| Single-Device Login Enforcement | โ๏ธ |
| JWT Token Generation | โ๏ธ |
| Rate Limiting per Device & Route | โ๏ธ |
| Admin Auto-Creation at Startup | โ๏ธ |
| Authentication Logs | โ๏ธ |
| Centralized Error Handling | โ๏ธ |
| Cookie Parser + JSON Body Parsing | โ๏ธ |
| Cron Job Integration | โ๏ธ |
| Intelligent 404 Rate Monitoring | โ๏ธ |
| Block/Unblock Device API | โ๏ธ |
- Node.js: Runtime
- Express.js: Web framework
- PostgreSQL + Prisma: NoSQL DB with schema modeling
- JWT: Token-based authentication
- dotenv: Environment config management
- cookie-parser: For handling cookies
- uuid: For generating
deviceID
| Principle | Full Form | Usage |
|---|---|---|
| SOLID | Single Responsibility, Open-Closed, Liskov Substitution, Interface Segregation, Dependency Inversion | Modular services, controllers, utils follow SRP |
| DRY | Donโt Repeat Yourself | Reused logic across tokens, logging, error handlers |
| KISS | Keep It Simple, Stupid | Clear token logic, admin setup kept straightforward |
| YAGNI | You Arenโt Gonna Need It | Avoided premature scaling or over-engineering |
| Pattern | Purpose |
|---|---|
| Singleton | MongoDB connection, express server bootstrap |
| Factory | Token generation utility with expiry injection |
| Template Method | Used in log writing & token validation flow (extendable blueprint) |
| Observer (simulated) | Setup ready for future log-subscriber or event-bus design |
๐ฆ Total 12 folders and 5 files are present in this project directory.
| Folder Name | Description |
|---|---|
๐ rate-limiters/ |
Device & route-specific rate limit services |
๐ controllers/ |
Handles business logic for auth routes |
๐ configs/ |
Configuration files for DB, server, tokens |
๐ middlewares/ |
JWT auth, global error, malformed JSON etc. |
๐ utils/ |
Utility functions like token creation, logs |
๐ services/ |
Handles internal logic like limiter service |
๐ routes/ |
Route entry-point for all modules |
๐ prisma/ |
Prisma schema and database access layer |
๐ cron-jobs/ |
Server-triggered tasks on boot |
๐ internal-calls/ |
For internal microservice/API interaction |
๐ node_modules/ |
Auto-installed dependencies |
๐ clients/ |
Includes clients that interact with Database |
| File Name | Description |
|---|---|
server.js |
๐ฏ Entry point โ starts DB, routes, admin |
.env.example |
๐ Sample environment configuration |
package.json |
๐ฆ Project metadata and script definitions |
package-lock.json |
๐ Locked dependency tree for consistent build |
.gitignore |
๐ซ Files/directories ignored in version control |
(Same as earlier โ no changes required unless new secrets are introduced for block/unblock APIs.)
The logic remains focused on device-based tracking, but now it enforces single device session per user. If the user tries to log in from another device, the older one is invalidated unless explicitly logged out.
Also:
- Devices can be blocked manually by the admin using the block device API.
- Blocked devices are prevented from making any further requests unless unblocked.
DeviceID plays a critical role in both rate limiting and access enforcement. DeviceID + UserID combo is also used in Rate Limiting where Token is Required
In addition to earlier cases, following have been tested:
- โ Access denied from blocked device
- โ Unblock restores access
- โ Attempt to use access token from blocked device is rejected
| ๐ฎ Enhancement | Priority | Notes |
|---|---|---|
| Role-Based Access Control (RBAC) | ๐บ High | Allow role assignment to users (e.g., ADMIN, MODERATOR, USER) |
| OTP-Based Authentication | ๐บ High | Add SMS/Email-based OTPs for passwordless login |
| API Rate Limits per User Tier | ๐ธ Medium | Different limits for free vs. premium accounts |
| PostgreSQL Index Optimization | ๐ธ Medium | Speed up query performance and reduce latency |
| Test Automation | ๐น Low | Integrate with CI/CD for robust test coverage |
This updated Strict Auth backend narrows down to a single-device secure session system, eliminating ambiguity and enabling administrators to control device access through direct APIs. It simulates the authentication needs of banking apps, sensitive enterprise tools, or IoT platforms, where session control and device-level trust are paramount.
- How to restrict user login to one device at a time
- How to implement manual device blocking logic
- How to scale secure auth systems for production
- How to track request behavior route-by-route per device
- How to enforce token validity even after logout or block
๐ Designed & Engineered with Precision by Yatharth Kumar Saxena ๐