A production-grade REST API for a Fashion & Outfits Reels platform.
Think Zomato meets TikTok β but for fashion.
API Docs β’ Setup β’ Features β’ Architecture
Drip is a full-featured fashion discovery platform where users browse short outfit reels, shop directly from videos, follow fashion brands, and get AI-powered style recommendations. This repository contains the complete backend API.
- Separate auth for Users, Fashion Partners, and Admins
- JWT access tokens (15 min) + HTTP-only refresh tokens (7 days)
- Role-based access control (RBAC)
- Refresh token rotation with reuse detection
- Video upload via ImageKit CDN
- Paginated vertical feed with filters
- View count tracking (fire-and-forget)
- Discount percentage virtual fields
- Cart with price locking at add time
- Stripe payment integration
- COD (Cash on Delivery) support
- Order lifecycle management
- Outfit snapshot for deleted item history
- Like / Unlike outfits (toggle)
- Bookmark / Save looks
- Follow / Unfollow fashion partners
- Nested comments (1 level deep)
- Share outfits in chat
- Full-text search with MongoDB text index
- Filter by category, price range, size, partner
- 6 sort options (newest, popular, trending, price)
- Auto-complete suggestions
- Trending tags with scoring algorithm
- Content-based filtering (no external AI needed)
- User categoryScores updated on every interaction
- 6-factor scoring: category match, followed partners, tag overlap, direct preference, trending, freshness
- Style quiz for cold-start new users
- "Complete the Look" cross-selling
- Trending outfits by engagement score
- Real-time via Socket.io
- Persisted in MongoDB for offline users
- 11 notification types (like, comment, follow, order, etc.)
- Unread count, mark as read, bulk operations
- User β Partner direct messaging
- Outfit sharing in chat
- Read receipts
- Typing indicators
- Soft delete with "This message was deleted"
- Consistent conversationId (sorted ID pair)
- Superadmin + Moderator roles with permissions
- Partner approval workflow
- Content moderation (outfits, comments)
- User ban/unban
- Platform analytics with aggregation pipeline
- Helmet security headers
- CORS whitelist
- Rate limiting (different limits per route)
- MongoDB injection sanitization
- HPP (HTTP Parameter Pollution) prevention
- XSS escape on text fields
- Environment validation at startup
- Bcrypt password hashing (salt rounds: 12)
drip-backend/
βββ server.js # HTTP server + Socket.io
βββ app.js # Express app + middleware
βββ config/
β βββ db.js # MongoDB connection
β βββ imagekit.js # ImageKit CDN init
β βββ logger.js # Winston logger
β βββ socket.js # Socket.io config + rooms
β βββ security.js # CORS, Helmet, env validation
βββ models/ # 13 Mongoose models
β βββ User.js
β βββ FashionPartner.js
β βββ OutfitItem.js
β βββ Like.js / Bookmark.js / Follow.js / Comment.js
β βββ Cart.js / Order.js
β βββ Notification.js / Message.js
β βββ Admin.js
βββ routes/ # 13 route files
βββ controllers/ # 13 controller files
βββ middleware/
β βββ authUser.middleware.js
β βββ authPartner.middleware.js
β βββ authAdmin.middleware.js
β βββ upload.middleware.js
β βββ error.middleware.js
β βββ validate.middleware.js
β βββ rateLimit.middleware.js
βββ services/
β βββ imagekit.service.js
β βββ stripe.service.js
β βββ socket.service.js # Notification helpers
β βββ ai.service.js # Scoring algorithms
βββ utils/
β βββ AppError.js
β βββ catchAsync.js
β βββ sendResponse.js
β βββ pagination.js
β βββ constants.js
βββ scripts/
βββ seedAdmin.js
- Node.js 18+
- MongoDB Atlas account (free tier works)
- ImageKit account (free tier works)
- Stripe account (test mode)
# Clone the repository
git clone https://github.com/YOUR_USERNAME/drip-backend.git
cd drip-backend
# Install dependencies
npm install
# Copy environment file
cp .env.example .env# Server
PORT=5000
NODE_ENV=development
CLIENT_URL=http://localhost:5173
# Database
MONGO_URI=mongodb+srv://username:password@cluster.mongodb.net/drip-db
# JWT
JWT_SECRET=your_super_secret_jwt_key_minimum_32_characters
JWT_REFRESH_SECRET=your_refresh_secret_different_from_above
JWT_EXPIRES_IN=15m
JWT_REFRESH_EXPIRES_IN=7d
# ImageKit (imagekit.io)
IMAGEKIT_PUBLIC_KEY=your_public_key
IMAGEKIT_PRIVATE_KEY=your_private_key
IMAGEKIT_URL_ENDPOINT=https://ik.imagekit.io/your_id
# Stripe (stripe.com)
STRIPE_SECRET_KEY=sk_test_your_key
STRIPE_WEBHOOK_SECRET=whsec_your_webhook_secret
# Admin Seed
ADMIN_EMAIL=admin@drip.com
ADMIN_PASSWORD=Admin@123456# Development
npm run dev
# Production
npm start
# Seed admin account (run once)
npm run seed:adminβ
Environment variables validated
β
JWT secrets are strong and different
β
MongoDB connected: cluster.mongodb.net
β
Socket.io initialized successfully
π Server running in development mode on port 5000
π‘ Health check: http://localhost:5000/api/health
GET /api/health
POST /api/auth/register
POST /api/auth/login
POST /api/auth/refresh
POST /api/auth/logout
GET /api/auth/me
PATCH /api/auth/update-profile
PATCH /api/auth/change-password
POST /api/partner/auth/register
POST /api/partner/auth/login
POST /api/partner/auth/refresh
POST /api/partner/auth/logout
GET /api/partner/me
PATCH /api/partner/update-profile
PATCH /api/partner/change-password
GET /api/partner/:partnerId
POST /api/upload/image (partner)
POST /api/upload/video (partner)
POST /api/upload/avatar (user)
DELETE /api/upload/:fileId
GET /api/outfit/feed
GET /api/outfit/my-outfits (partner)
GET /api/outfit/partner/:partnerId
GET /api/outfit/:id
POST /api/outfit (partner)
PATCH /api/outfit/:id (partner)
PATCH /api/outfit/:id/featured (partner)
DELETE /api/outfit/:id (partner)
POST /api/social/like/:outfitId
GET /api/social/liked
POST /api/social/bookmark/:outfitId
GET /api/social/bookmarks
POST /api/social/follow/:partnerId
GET /api/social/following
GET /api/social/partner/followers
GET /api/social/follow/check/:partnerId
POST /api/social/comment/:outfitId
POST /api/social/comment/:commentId/reply
GET /api/social/comment/:outfitId
GET /api/social/comment/:commentId/replies
DELETE /api/social/comment/:commentId
GET /api/social/status/:outfitId
GET /api/search
GET /api/search/trending
GET /api/search/partners
GET /api/search/suggestions
GET /api/search/category/:category
GET /api/search/personalized
GET /api/cart
POST /api/cart/add
PATCH /api/cart/item/:itemId
DELETE /api/cart/item/:itemId
DELETE /api/cart/clear
POST /api/order/checkout
POST /api/order/webhook (Stripe)
GET /api/order/my-orders
GET /api/order/partner-orders (partner)
GET /api/order/partner-stats (partner)
GET /api/order/:orderId
PATCH /api/order/:orderId/status (partner)
PATCH /api/order/:orderId/cancel
GET /api/notification
GET /api/notification/unread-count
PATCH /api/notification/read-all
DELETE /api/notification/read
PATCH /api/notification/:id/read
DELETE /api/notification/:id
GET /api/chat/conversations
GET /api/chat/unread-count
GET /api/chat/:otherPartyId
POST /api/chat/:otherPartyId
GET /api/chat/:otherPartyId/search
DELETE /api/chat/message/:messageId
GET /api/ai/feed
GET /api/ai/style-analysis
GET /api/ai/trending
GET /api/ai/recommended-partners
GET /api/ai/similar/:outfitId
GET /api/ai/complete-look/:outfitId
POST /api/ai/track
POST /api/ai/style-quiz
POST /api/admin/login
GET /api/admin/users
GET /api/admin/users/:userId
PATCH /api/admin/users/:userId/ban
PATCH /api/admin/users/:userId/unban
GET /api/admin/partners
GET /api/admin/partners/:partnerId
PATCH /api/admin/partners/:partnerId/approve
PATCH /api/admin/partners/:partnerId/reject
PATCH /api/admin/partners/:partnerId/ban
GET /api/admin/outfits
DELETE /api/admin/outfits/:outfitId
GET /api/admin/comments
DELETE /api/admin/comments/:commentId
GET /api/admin/orders
GET /api/admin/orders/:orderId
GET /api/admin/analytics
GET /api/admin/admins
POST /api/admin/admins
PATCH /api/admin/admins/:adminId
| Event | Room | Description |
|---|---|---|
new_notification |
user:id / partner:id |
Real-time notification |
new_message |
user:id / partner:id |
New chat message |
messages_read |
sender's room | Read receipt |
message_deleted |
receiver's room | Message removed |
user_typing |
receiver's room | Typing indicator |
| Event | Payload | Description |
|---|---|---|
join_outfit_room |
outfitId | Join outfit live room |
join_conversation |
conversationId | Join chat room |
typing |
{conversationId, receiverRoom} |
Start typing |
stop_typing |
{conversationId, receiverRoom} |
Stop typing |
Every outfit is scored 0-100 for each user:
| Factor | Max Points | Description |
|---|---|---|
| Category match | 40 | Based on user's interaction history |
| Followed partner | 20 | Partner follow bonus |
| Tag overlap | 15 | stylePreferences vs outfit tags |
| Direct category pref | 10 | Category in stylePreferences |
| Trending score | 10 | Views + likes weighted |
| Freshness | 5 | Recently posted bonus |
| Action | Weight |
|---|---|
| order | 5.0 |
| share | 3.5 |
| bookmark | 3.0 |
| comment | 2.5 |
| like | 2.0 |
| view | 0.5 |
| Layer | Implementation |
|---|---|
| Headers | Helmet.js (15+ headers) |
| CORS | Whitelist with credentials |
| Rate Limiting | Route-specific limits |
| NoSQL Injection | express-mongo-sanitize |
| XSS | Input escaping + CSP headers |
| HPP | express-hpp |
| Passwords | bcrypt (salt: 12) |
| Tokens | JWT + httpOnly cookies |
| Validation | express-validator on all routes |
| Route | Limit | Window |
|---|---|---|
| Global | 100 req | 15 min |
| Auth (login/register) | 10 req | 15 min |
| Admin login | 5 req | 15 min |
| File upload | 20 req | 1 hour |
| Search | 30 req | 1 min |
| AI endpoints | 20 req | 1 min |
| Model | Collection | Key Fields |
|---|---|---|
| User | users | email, password, categoryScores |
| FashionPartner | fashionpartners | brandName, isApproved |
| OutfitItem | outfititems | video, price, tags, text index |
| Like | likes | user+outfit compound unique |
| Bookmark | bookmarks | user+outfit compound unique |
| Follow | follows | follower+following compound unique |
| Comment | comments | parentComment for replies |
| Cart | carts | user unique, priceAtAdd locking |
| Order | orders | orderNumber (DRP-YYYYMM-XXXXXX) |
| Notification | notifications | recipient+model+type |
| Message | messages | conversationId (sorted IDs) |
| Admin | admins | role + permissions array |
All 80+ endpoints tested with Postman.
Test collections cover:
- Happy path (success scenarios)
- Error cases (400, 401, 403, 404, 422, 429)
- Security attacks (NoSQL injection, XSS, fake tokens)
- Edge cases (empty cart checkout, rate limits)
- Real-time (Socket.io events)
| Technology | Version | Purpose |
|---|---|---|
| Node.js | 18+ | Runtime |
| Express | 4.x | Web framework |
| MongoDB | Atlas | Database |
| Mongoose | 7.x | ODM |
| Socket.io | 4.x | Real-time |
| JWT | 9.x | Authentication |
| bcryptjs | 2.x | Password hashing |
| Stripe | 14.x | Payments |
| ImageKit | 4.x | CDN / Media |
| Winston | 3.x | Logging |
| Helmet | 7.x | Security headers |
| express-rate-limit | 7.x | Rate limiting |
| express-validator | 7.x | Input validation |
| express-mongo-sanitize | 2.x | NoSQL injection |
| Multer | 1.x | File handling |
Built with β€οΈ as a portfolio project demonstrating production-grade MERN stack development.
MIT License β free to use for learning and portfolio purposes.