Skip to content

Vipul99999/Authentication-RBAC

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

Β 

History

4 Commits
prisma
prisma
Β 
Β 
src
src
Β 
Β 
.gitignore
.gitignore
Β 
Β 
README.md
README.md
Β 
Β 
package-lock.json
package-lock.json
Β 
Β 
package.json
package.json
Β 
Β 
tsconfig.json
tsconfig.json
Β 
Β 

Repository files navigation

πŸ“„ README.md

# πŸ” Enterprise Authentication & Authorization System

A production-grade backend system implementing **JWT authentication, session management, RBAC β†’ ABAC authorization, OTP login, Google OAuth, and advanced security protections**.

---

## πŸš€ Overview

This project is a **secure, scalable authentication platform** designed for modern applications.

It supports:
- Multi-device sessions
- Role & attribute-based access control
- Audit logging & security monitoring
- Multiple login methods (Password, OTP, OAuth)

---

## 🧠 Architecture

Frontend (Next.js) ↓ Backend (Node.js + Express) ↓ Database (PostgreSQL + Prisma)

Security Layers:

  • JWT + Refresh Tokens
  • Session Store (DB)
  • ABAC Policy Engine
  • Audit Logs

---

## ✨ Features

### πŸ” Authentication
- JWT Access + Refresh Tokens
- Secure cookie-based session handling
- Refresh token rotation (anti-replay)
- Multi-device login support

### πŸ”‘ Authorization
- RBAC (Admin / Handler / User)
- ABAC (attribute-based access control)
- Ownership & hierarchy enforcement

### πŸ“± Login Methods
- Email + Password
- OTP (phone-based)
- Google OAuth (restricted access)

### πŸ›‘οΈ Security
- HTTP-only cookies (XSS protection)
- CSRF protection
- Rate limiting (anti-brute force)
- Account lock after failed attempts
- Device & IP binding
- Token reuse detection

### πŸ“Š Monitoring
- Audit logs (login, logout, actions)
- Suspicious activity detection
- Admin security dashboard APIs

---
echo "# Authentication-RBAC" >> README.md
git init
git add README.md
git commit -m "first commit"
git branch -M main
git remote add origin https://github.com/Vipul99999/Authentication-RBAC.git
git push -u origin main

## πŸ“ Project Structure

```

backend/
β”œβ”€β”€ prisma/
β”œβ”€β”€ src/
β”‚   β”œβ”€β”€ config/
β”‚   β”œβ”€β”€ middleware/
β”‚   β”œβ”€β”€ modules/
β”‚   β”‚   β”œβ”€β”€ auth/
β”‚   β”‚   β”œβ”€β”€ user/
β”‚   β”‚   β”œβ”€β”€ admin/
β”‚   β”‚   β”œβ”€β”€ otp/
β”‚   β”‚   β”œβ”€β”€ session/
β”‚   β”‚   β”œβ”€β”€ audit/
β”‚   β”‚   └── location/
β”‚   β”œβ”€β”€ utils/
β”‚   β”œβ”€β”€ types/
β”‚   └── constants/
β”œβ”€β”€ .env
β”œβ”€β”€ prisma.config.ts
└── package.json

βš™οΈ Setup & Installation

1️⃣ Clone repo

git clone <your-repo-url>
cd backend

2️⃣ Install dependencies

npm install

3️⃣ Setup environment variables

Create .env:

PORT=5000

DATABASE_URL=postgresql://user:password@localhost:5432/db

JWT_ACCESS_SECRET=your_access_secret
JWT_REFRESH_SECRET=your_refresh_secret

ACCESS_TOKEN_EXPIRES=15m
REFRESH_TOKEN_EXPIRES=1d

GOOGLE_CLIENT_ID=your_google_client_id
GOOGLE_CLIENT_SECRET=your_google_secret
FRONTEND_URL=http://localhost:3000

4️⃣ Run Prisma

npx prisma generate
npx prisma migrate dev

5️⃣ Start server

npm run dev

πŸ”„ Authentication Flow

1. User logs in (Password / OTP / OAuth)
2. Access Token issued (short-lived)
3. Refresh Token stored in HTTP-only cookie
4. Session stored in database
5. Token rotation on refresh

🧩 RBAC β†’ ABAC

RBAC (Basic)

Admin β†’ full access
Handler β†’ limited access
User β†’ minimal access

ABAC (Advanced)

Access based on:

  • User attributes (role, location)
  • Resource attributes (owner, district)
  • Context (IP, device)

Example:

Handler can access users only in same district
User can access only own profile

πŸ” Security Design

Feature Protection
JWT + Rotation Prevent replay attacks
HTTP-only cookies Prevent XSS
attacks
Rate limiting Prevent brute force
Account lock Stop repeated failures
Device/IP binding Prevent session hijacking
Token reuse detection Detect stolen tokens

πŸ“Š Admin APIs

Endpoint Description
/admin/dashboard System stats
/admin/security Security insights
/admin/audit Audit logs
/admin/sessions/:userId User devices
/admin/security/suspicious Suspicious users

πŸ“± OTP APIs

Endpoint Description
/otp/send Send OTP
/otp/verify Verify OTP

πŸ” Auth APIs

Endpoint Description
/auth/register Create user
/auth/login Login
/auth/refresh Refresh token
/auth/logout Logout
/auth/google Google OAuth

πŸ‘€ User APIs

Endpoint Description
/user/me Get profile
/user/update Update profile
/user/change-password Change password
/user/set-pin Set PIN
/user/change-pin Change PIN

πŸ§ͺ Testing

You can test APIs using:

  • Postman
  • Thunder Client
  • curl

πŸš€ Deployment (Recommended)

  • Docker
  • AWS EC2 / ECS
  • Nginx (reverse proxy)
  • HTTPS (SSL)

🧠 Future Improvements

  • Multi-factor authentication (MFA)
  • WebAuthn / Passkeys
  • Multi-OAuth providers (GitHub, Apple)
  • Real-time security alerts (WebSockets)
  • Policy DSL (AWS IAM style)

❀️ Built With

  • Node.js + Express
  • Prisma + PostgreSQL
  • TypeScript
  • Zod
  • JWT + OAuth

πŸ‘¨β€πŸ’» Author

Built as a production-grade authentication system for learning and real-world use.

⭐ If you like this project

Give it a star ⭐ and use it in your projects!

About

Secure Enterprise Auth Backend: JWT Rotation, Multi-device Sessions, and RBAC/ABAC Authorization. Built with TypeScript, FastAPI principles, and Prisma. πŸš€πŸ’Ž

Topics

oauth2 typescript authentication postgresql rbac jwt-authentication abac prisma backend-api security-best-practices

Resources

Readme
Activity

Stars

2 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages