secure-auth-api-v1

Author: zerowithzero

.gitignore

@@ -0,0 +1,3 @@
+.env
+/node_modules
+/logs

README.md

@@ -0,0 +1,101 @@
+# 🔐 Secure Authentication API (Node.js + JWT + OAuth2 + 2FA)
+
+A **secure authentication API** using **Node.js, Express, JWT, Google OAuth2, and Two-Factor Authentication (2FA)**.
+
+## 🚀 Features
+✅ **User Authentication** (Register, Login, Logout)  
+✅ **Google OAuth 2.0 Login**  
+✅ **JWT Token Authentication**  
+✅ **Two-Factor Authentication (2FA)** with OTP  
+✅ **Secure Routes** for logged-in users  
+✅ **Password Hashing with bcrypt**  
+✅ **Proper Error Handling & Security Measures**  
+
+---
+
+## 📂 Folder Structure
+```
+secure-auth-api-nodejs/
+│── config/              # Passport & OAuth Configurations
+│── models/              # Mongoose User Model
+│── routes/              # API Routes (Auth, Users, Protected)
+│── middleware/          # Authentication Middleware
+│── controllers/         # Business Logic (User handling)
+│── .env                 # Environment Variables
+│── server.js            # Main Express App
+│── package.json         # Dependencies & Scripts
+│── README.md            # Project Documentation
+```
+
+---
+
+## 🚀 Quick Setup Guide  
+
+### 1️⃣ Clone the Repository  
+```bash
+git clone https://github.com/your-username/secure-auth-api-nodejs.git
+cd secure-auth-api-nodejs
+```
+
+### 2️⃣ Install Dependencies  
+```bash
+npm install
+```
+
+### 3️⃣ Setup Environment Variables  
+Create a **.env** file in the root directory and add:  
+```env
+PORT=5000
+MONGO_URI=your_mongodb_connection_string
+JWT_SECRET=your_jwt_secret
+GOOGLE_CLIENT_ID=your_google_client_id
+GOOGLE_CLIENT_SECRET=your_google_client_secret
+EMAIL_SERVICE=email_service_for_2fa
+EMAIL_USER=your_email
+EMAIL_PASS=your_email_password
+```
+
+### 4️⃣ Start the Server  
+```bash
+npm run dev
+```
+🚀 Your API will now run on **http://localhost:5000**  
+
+---
+
+## 🔗 API Endpoints  
+
+### **User Authentication**  
+| Method | Endpoint             | Description                 |
+|--------|----------------------|-----------------------------|
+| POST   | `/api/auth/register` | Register a new user        |
+| POST   | `/api/auth/login`    | Login and get JWT token    |
+| GET    | `/api/auth/logout`   | Logout user                |
+
+### **Google Authentication**  
+| Method | Endpoint                | Description                     |
+|--------|-------------------------|---------------------------------|
+| GET    | `/api/auth/google`       | Redirects to Google Login      |
+| GET    | `/api/auth/google/callback` | Google OAuth callback         |
+
+### **Protected Routes (JWT Required)**  
+| Method | Endpoint            | Description          |
+|--------|---------------------|----------------------|
+| GET    | `/api/protected`    | Test Protected Route |
+
+---
+
+## 🛡 Security Features Implemented  
+✅ **JWT Tokens** with expiration  
+✅ **Password Hashing** using bcrypt  
+✅ **Two-Factor Authentication (2FA)** via email OTP  
+✅ **Session Management** for Google OAuth  
+✅ **Error Handling & Input Validation**  
+
+---
+
+## 📜 License  
+This project is licensed under the **MIT License**.  
+
+🔗 **Live Demo:** _Coming Soon_ 🚀  
+💬 **Need Help?** Create an issue or reach out! 🎯  

config/passport.js

@@ -0,0 +1,47 @@
+const passport = require("passport");
+const GoogleStrategy = require("passport-google-oauth20").Strategy;
+const User = require("../models/User");
+
+passport.use(
+  new GoogleStrategy(
+    {
+      clientID: process.env.GOOGLE_CLIENT_ID,
+      clientSecret: process.env.GOOGLE_CLIENT_SECRET,
+      callbackURL: "/api/auth/google/callback",
+    },
+    async (accessToken, refreshToken, profile, done) => {
+      try {
+        // Check if user already exists
+        let user = await User.findOne({ email: profile.emails[0].value });
+
+        if (!user) {
+          // Create new user
+          user = new User({
+            username: profile.displayName,
+            email: profile.emails[0].value,
+            googleId: profile.id,
+            isVerified: true,
+          });
+          await user.save();
+        }
+
+        done(null, user);
+      } catch (error) {
+        done(error, null);
+      }
+    }
+  )
+);
+
+passport.serializeUser((user, done) => {
+  done(null, user.id);
+});
+
+passport.deserializeUser(async (id, done) => {
+  try {
+    const user = await User.findById(id);
+    done(null, user);
+  } catch (error) {
+    done(error, null);
+  }
+});

controllers/authController.js

@@ -0,0 +1,135 @@
+const bcrypt = require("bcryptjs");
+const User = require("../models/User");
+const jwt = require("jsonwebtoken");
+const speakeasy = require("speakeasy");
+const QRCode = require("qrcode");
+
+// 📌 How this works:
+
+// Throws an error if the user is not found.
+// Passes it to errorHandler.js.
+exports.getUserProfile = async (req, res, next) => {
+  try {
+    const user = await User.findById(req.user.id);
+    if (!user) {
+      throw { status: 404, message: "User not found" }; // Throw an error
+    }
+    res.json(user);
+  } catch (error) {
+    next(error); // Pass error to middleware
+  }
+};
+
+exports.verify2FA = async (req, res) => {
+  try {
+    const { token } = req.body;
+    const user = await User.findById(req.user.id);
+
+    if (!user || !user.isTwoFactorEnabled) {
+      return res.status(400).json({ message: "2FA is not enabled" });
+    }
+
+    const isValid = speakeasy.totp.verify({
+      secret: user.twoFactorSecret,
+      encoding: "base32",
+      token,
+    });
+
+    if (!isValid) {
+      return res.status(400).json({ message: "Invalid OTP" });
+    }
+
+    res.json({ message: "2FA verification successful" });
+  } catch (error) {
+    res.status(500).json({ message: "Error verifying 2FA", error });
+  }
+};
+
+// Generate and return a 2FA secret and QR code
+exports.enable2FA = async (req, res) => {
+  try {
+    const user = await User.findById(req.user.id);
+    if (!user) {
+      return res.status(404).json({ message: "User not found" });
+    }
+
+    const secret = speakeasy.generateSecret({ length: 20 });
+
+    // Save the secret in the database
+    user.twoFactorSecret = secret.base32;
+    user.isTwoFactorEnabled = true;
+    await user.save();
+
+    // Generate QR code for Google Authenticator
+    const otpAuthUrl = `otpauth://totp/secure_auth_api?secret=${secret.ascii}&issuer=secure_auth_api`;
+    QRCode.toDataURL(otpAuthUrl, (err, imageUrl) => {
+      if (err)
+        return res.status(500).json({ message: "QR Code generation failed" });
+
+      res.json({
+        message: "2FA enabled",
+        secret: secret.base32, // Show only for testing
+        qrCode: imageUrl, // Send QR Code image URL
+      });
+    });
+  } catch (error) {
+    res.status(500).json({ message: "Error enabling 2FA", error });
+  }
+};
+
+exports.register = async (req, res) => {
+  try {
+    const { username, email, password } = req.body;
+
+    // Check if user already exists
+    const existingUser = await User.findOne({ email });
+    if (existingUser) {
+      return res.status(400).json({ message: "Email already in use" });
+    }
+
+    // Hash the password
+    const salt = await bcrypt.genSalt(10);
+    const hashedPassword = await bcrypt.hash(password, salt);
+
+    // Create a new user
+    const user = new User({
+      username,
+      email,
+      password: hashedPassword,
+    });
+
+    await user.save();
+
+    res.status(201).json({ message: "User registered successfully" });
+  } catch (error) {
+    res.status(500).json({ message: "Server error", error: error.message });
+  }
+};
+
+exports.login = async (req, res) => {
+  try {
+    const { email, password } = req.body;
+
+    // Check if user exists
+    const user = await User.findOne({ email });
+    if (!user) {
+      return res.status(400).json({ message: "Invalid email or password" });
+    }
+
+    // Verify password
+    const isMatch = await bcrypt.compare(password, user.password);
+    if (!isMatch) {
+      return res.status(400).json({ message: "Invalid email or password" });
+    }
+
+    // Generate JWT token
+    const payload = { userId: user._id };
+    const token = jwt.sign(payload, process.env.JWT_SECRET, {
+      expiresIn: "1h",
+    });
+
+    res.json({ message: "Login successful", token });
+  } catch (error) {
+    res.status(500).json({ message: "Server error", error: error.message });
+  }
+};

generate.js

@@ -0,0 +1 @@
+console.log(require("crypto").randomBytes(64).toString("hex"));

middleware/authMiddleware.js

@@ -0,0 +1,22 @@
+const jwt = require("jsonwebtoken");
+
+exports.authenticateJWT = (req, res, next) => {
+  const token = req.header("Authorization");
+
+  if (!token) {
+    return res
+      .status(401)
+      .json({ message: "Access denied. No token provided." });
+  }
+
+  try {
+    const decoded = jwt.verify(
+      token.replace("Bearer ", ""),
+      process.env.JWT_SECRET
+    );
+    req.user = decoded;
+    next();
+  } catch (error) {
+    return res.status(403).json({ message: "Invalid token" });
+  }
+};

middleware/errorHandler.js

@@ -0,0 +1,18 @@
+// 📌 How this works:
+
+// Logs errors using Winston.
+// Returns a JSON error response.
+// Hides error stack in production for security.
+
+const logger = require("../utils/logger");
+
+const errorHandler = (err, req, res, next) => {
+  logger.error(err.message); // Log error
+
+  res.status(err.status || 500).json({
+    message: err.message || "Internal Server Error",
+    error: process.env.NODE_ENV === "development" ? err.stack : null,
+  });
+};
+
+module.exports = errorHandler;

middleware/rateLimiter.js

@@ -0,0 +1,10 @@
+const rateLimit = require("express-rate-limit");
+
+const limiter = rateLimit({
+  windowMs: 15 * 60 * 1000, // 15 minutes
+  max: 100, // Limit each IP to 100 requests per windowMs
+  message: "Too many requests, please try again later.",
+  headers: true,
+});
+
+module.exports = limiter;

models/User.js

@@ -0,0 +1,21 @@
+const mongoose = require("mongoose");
+
+const UserSchema = new mongoose.Schema(
+  {
+    username: { type: String, required: true, unique: true },
+    email: { type: String, required: true, unique: true },
+    googleId: { type: String, unique: true, sparse: true }, // Store Google OAuth ID
+    password: {
+      type: String,
+      required: function () {
+        return !this.googleId;
+      },
+    }, // Required only if not using Google OAuth
+    isVerified: { type: Boolean, default: false }, // Email verification
+    twoFactorEnabled: { type: Boolean, default: false }, // 2FA status
+    twoFactorSecret: { type: String, default: null }, // 2FA secret key
+  },
+  { timestamps: true }
+);
+
+module.exports = mongoose.model("User", UserSchema);