Your task is to implement Authentication and Authorization with JWT (Access and Refresh tokens) for the Knowledge Hub API.
This is a continuation of the Database & Prisma assignment (06b). You will work in the same repository created in assignment 05.
- Task should be implemented in TypeScript
- Use 24.x.x version (24.10.0 or upper) of Node.js
- Endpoints
-
Signup(/auth/signuproute)POST /auth/signup— sendloginandpasswordto create a newuser- Server should answer with
status code201 and corresponding message if dto is valid - Server should answer with
status code400 and corresponding message if dto is invalid (nologinorpassword, or they are notstrings, orloginis already taken)
- Server should answer with
-
Login(/auth/loginroute)POST /auth/login— sendloginandpasswordto get Access token and Refresh token- Server should answer with
status code200 and tokens in the response body:{ accessToken: string, refreshToken: string } - Server should answer with
status code400 and corresponding message if dto is invalid (nologinorpassword, or they are notstrings) - Server should answer with
status code403 and corresponding message if authentication failed (no user with suchlogin,passworddoesn't match actual one, etc.)
- Server should answer with
-
Refresh(/auth/refreshroute)POST /auth/refresh— send refresh token in body as{ refreshToken }to get a new pair of Access token and Refresh token- Server should answer with
status code200 and new tokens in body if dto is valid - Server should answer with
status code401 and corresponding message if dto is invalid (norefreshTokenin body) - Server should answer with
status code403 and corresponding message if authentication failed (Refresh token is invalid or expired)
- Server should answer with
-
Once
POST /auth/signupacceptspasswordproperty, it is replaced with a hash (using bcrypt or bcryptjs package) for password encryption. No raw passwords should be stored in the database.NB! Password should remain hashed after any operation with the service.
-
JWT Access token should contain
userId,login, androlein its payload and has a short expiration time (e.g. 15 minutes). JWT Refresh token should have a longer expiration time (e.g. 7 days). -
The JWT Access token should be added in the HTTP
Authorizationheader to all requests that require authentication. Proxy all the requests (except/auth/signup,/auth/login,/auth/refresh,/doc,/) and check that the HTTPAuthorizationheader has the correct value of the JWT Access token.HTTP authentication must follow the
Bearerscheme:Authorization: Bearer <jwt_token> -
In case the HTTP
Authorizationheader in the request is absent or invalid or doesn't follow theBearerscheme or the Access token has expired, further route handler execution should be stopped and lead to a response with HTTP 401 code and corresponding error message. -
Role-Based Access Control (RBAC):
viewer— can only performGETrequests (read-only access to all resources)editor— can performGETrequests and canPOST(create) /PUT(update) their own articles and comments. Cannot delete other users' content or manage categories.admin— full access to all operations on all resources
If a user attempts an operation they are not authorized for, server should respond with
status code403 and a corresponding message. -
Secrets used for signing the tokens should be stored in
.envfile:JWT_SECRET=your_access_token_secret JWT_REFRESH_SECRET=your_refresh_token_secret JWT_ACCESS_TTL=15m JWT_REFRESH_TTL=7d -
New users created via
/auth/signupshould have theviewerrole by default. Only admins can change user roles.
gyp ERR! stack Error: "pre" versions of node cannot be installed, use the --nodedir flag insteadPlease check compatibility between Node.JS and Bcrypt versions. Alternatively, use bcryptjs which is a pure JavaScript implementation and doesn't require native compilation.