This project is a REST API for authentication and authorization, including support for two-factor authentication (2FA). It is designed to provide a secure and scalable solution for managing user authentication and access control in web applications. The API supports various authentication methods, including traditional username and password, as well as modern techniques like OAuth and JWT (JSON Web Tokens). Additionally, it includes features for account recovery, password reset, and user role management, making it a comprehensive solution for handling user authentication and authorization needs.
- Node.js
- npm (Node Package Manager)
-
Clone the repository:
git clone https://github.com/your-repo/rest-api-auth.git cd rest-api-auth -
Install dependencies:
npm install
-
Create a
.envfile in the root directory and add the following environment variables:PORT=3000 ACCESS_TOKEN_SECRET=your_access_token_secret REFRESH_TOKEN_SECRET=your_refresh_token_secret ACCESS_TOKEN_EXPIRES_IN=15m REFRESH_TOKEN_EXPIRES_IN=7d CACHE_TEMPORARY_TOKEN_PREFIX=tempToken_
-
Start the server:
npm start
express: Fast, unopinionated, minimalist web framework for Node.jsbcryptjs: Library to help you hash passwordsjsonwebtoken: JSON Web Token implementation (JWT)otplib: One Time Password (OTP) libraryqrcode: QR code generatorcrypto: Node.js built-in module for cryptographic functionalitynode-cache: Simple and fast Node.js internal cachingnedb-promises: A persistent database for Node.js, with MongoDB-like API
- URL:
POST /api/auth/register - Request Body:
{ "name": "Apurva Kumar", "email": "[email protected]", "password": "12345", "role": "moderator" } - Description: Registers a new user.
- URL:
POST /api/auth/login - Request Body:
{ "email": "[email protected]", "password": "123345" } - Description: Logs in a user and returns access and refresh tokens.
- URL:
POST /api/auth/login/2fa - Request Body:
{ "tempToken": "PYTDWXCMI4GQWYAI", "otp": "489647" } - Description: Verifies the 2FA token and returns access and refresh tokens.
- URL:
POST /api/auth/refresh-token - Request Body:
{ "refreshToken": "your_refresh_token" } - Description: Refreshes the access token using the refresh token.
- URL:
GET /api/auth/logout - Headers:
{ "Authorization": "Bearer your_access_token" } - Description: Logs out the user by invalidating the access and refresh tokens.
- URL:
GET /api/users/current - Headers:
{ "Authorization": "Bearer your_access_token" } - Description: Retrieves the current authenticated user's information.
- URL:
GET /api/admin - Headers:
{ "Authorization": "Bearer your_access_token" } - Description: Access restricted to admin users.
- URL:
GET /api/moderator - Headers:
{ "Authorization": "Bearer your_access_token" } - Description: Access restricted to admin and moderator users.
- URL:
GET /api/auth/2fa/generate - Headers:
{ "Authorization": "Bearer your_access_token" } - Description: Generates a QR code for setting up 2FA.
- URL:
POST /api/auth/2fa/validate - Headers:
{ "Authorization": "Bearer your_access_token" } - Request Body:
{ "totp": "827420" } - Description: Validates the 2FA token and enables 2FA for the user.
To enable two-factor authentication (2FA), you need to install an authenticator application on your mobile device. Some popular options include:
After installing the authenticator app, use the /api/auth/2fa/generate endpoint to generate a QR code. Scan the QR code with your authenticator app to set up 2FA.
You can import the provided Postman collection to test the API endpoints. Download Postman Collection
Contributions are welcome! Please follow these steps to contribute:
- Fork the repository.
- Create a new branch (
git checkout -b feature-branch). - Make your changes.
- Commit your changes (
git commit -m 'Add some feature'). - Push to the branch (
git push origin feature-branch). - Open a pull request.
This project is licensed under the MIT License.