Task Manager API is a backend-focused portfolio project designed to demonstrate backend fundatmentals, API security, role-based access control (RBAC), and database design using Node.js and PostgreSQL.
The project simulates a task management system with users, teams, roles, and permissions, going beyond basic CRUD to showcase authorization logic, structured testing, and Docker-based deployment.
This project is intentionally built as a backend-only service to highlight server-side design, not UI implementation.
- Getting Started
- Key Features
- Tech Stack
- Architecture Overview
- Project Structure
- Authentication Flow
- API Endpoints
- Database Design
- Security Considerations
- Testing
-
Clone the repository
git clone https://github.com/bx0518/task-manager-api.git cd task-manager-api -
Create
.envfilePORT=3000 DB_HOST=localhost DB_PORT=5432 DB_USER=your_postgre_username DB_PASSWORD=your_postgre_password DB_NAME=taskdb JWT_SECRET=your_jwt_secret
- Replace
your_postgre_username,your_postgre_password, andyour_jwt_secretwith appropriate values. DB_HOSTwill be automatically overriden topostgreswhen using Docker.
- Replace
Using Docker allows you to avoid installing Node.js and PostgreSQL locally. Docker will handle all required services (including the database).
Make sure you have Docker and Docker Compose installed on your machine.
-
Build and start services
docker-compose up --build
-
Access the API API will be available at
http://localhost:3000.
Docker handles:
- PostgreSQL service
- Database initialization (runs automatically when the container starts)
If you prefer to run the API directly on your machine, follow these steps.
Ensure you have the following installed:
- Node.js >= 18
- PostgreSQL >= 14
- npm
-
Install dependencies
npm install
-
Create PostgreSQL Database You need to create a PostgreSQL database and run the initialization script:
psql -h localhost -U postgres -d taskdb -f init-db.sql
-
Start the server
npm start
-
Access the API The API will be available at
http://localhost:3000.
- User authentication with JWT
- Secure password hashing with bcrypt
- Role-Based Access Control (RBAC) with permissions
- Team-based task visibility and management
- Admin and manager privilege seperation
- Input validation with Joi
- Centralized logging with Winston
- API security middleware (rate limiting, headers, compression)
- PostgreSQL relational database with migrations
- Dockerized environment
- Automated tests using Jest + Supertest
- Node.js (Express v5)
- PostgreSQL
- JWT (jsonwebtoken)
- bcrypt
- express-rate-limit
- helmet
- compression
- Joi
- Winston
- Jest
- Supertest
- Docker & Docker Compose
- dotenv
This API follows a layered architecture commonly used in production backend systems:
Client
↓
Routes (HTTP layer)
↓
Middleware (Auth, RBAC, Validation)
↓
Controllers
↓
Models (PostgreSQL Database Access)
- Request enters Express Router
- Security middleware runs first (rate limit, headers)
- Authentication middleware validates JWT
- RBAC middleware checks permissions & resource ownership
- Validation middleware ensures request shape
- Controller logic executes business rules
- Modles executes database query
- Standardized response returned
This separation ensures the codebase remains maintainable, testable, and scalable.
task-manager-api/
├── controllers/ # Business logic
├── middleware/ # Auth, RBAC, security
├── migrations/ # DB migrations
├── models/ # Database models
├── routes/ # API routes
├── tests/ # Unit & integration tests
├── utils/ # Helper utilities (e.g. logger)
├── .env.example # Sample environment variables
├── app.js # Entry point
├── db.js # PostgreSQL connection
├── docker-compose.yml # Multi-container setup
├── Dockerfile # App container definition
└── init-db.sql # Initial database setup- User registers via
/users/register - Password is hashed using bcrypt
- User logs in via
/users/login - Server issues a JWT access token
- Token must be sent in
Authorization: Bearer <token>header
This project implements permission-based RBAC, not simple role checks to avoids hard-coded role logic, makes permission changes easier, and mirrors enterprise authorization systems.
- admin - full system access
- manager - team-level access
- user - own-resource access
Detailed API documentation is available in documentation/api.md
POST /users/registerPOST /users/login
POST /tasksGET /tasksGET /tasks/:idPUT /tasks/:idDELETE /tasks/:idGET /tasks/team
GET /tasks/admin/allGET /tasks/admin/user/:idGET /tasks/admin/team/:teamIdDELETE /tasks/admin/:id
GET /admin/usersPUT /admin/usersDELETE /admin/usersPOST /teamsGET /teamsPUT /teams/assignDELETE /teams/:id
The databased is designed to support RBAC and team-based access.
Core tables:
usersrolesteamstasks
Relationships:
- Each user has one role
- Users may belong to a team
- Tasks are owned by users and optionally linked to teams
Detailed schema explanation is available in documentation/database.md
- Password hashing with bcrypt (salted)
- JWT expiration & verification middleware
- Rate limiting to mitigate brute-force attacks
- Helmet for secure HTTP headers
- Centralized request logging for audit & debugging
Run tests:
npm test- Authentication (valid / invalid JWT)
- Authorization (RBAC permission)
- Resource ownership checks
- Admin-only routes
- Task CRUD flows