🔐 Complete Authentication System (Production Ready)

A production-ready authentication system built with Node.js, Express, MongoDB, and JWT. This project demonstrates industry-level authentication architecture including Access Tokens, Refresh Tokens, Token Rotation, Session Management, OTP verification, and secure multi-device logout.

---

🚀 Overview

This system simulates how modern applications handle authentication securely and efficiently.

---

🧩 Core Features

🔑 JWT Authentication

• Access Token (short-lived)
• Refresh Token (long-lived)
• Secure token verification middleware

🔄 Token Rotation

• Refresh token changes on every request
• Prevents token reuse attacks
• Enhances overall security

📱 Session Management

• Each login creates a session

• Tracks:

  • IP Address
  • Device (User-Agent)

• Supports multi-device login

🚪 Logout System

• Logout from a single device
• Logout from all devices
• Session revocation support

🔐 OTP Authentication

• Email-based OTP verification
• Secure OTP generation & validation
• Expiry-based OTP system

🛡️ Security Enhancements

• Hashed refresh tokens
• Optional token blacklist
• Input validation
• Protected routes middleware

---

🏗️ Architecture

Client → API (Express)
            ↓
        Controllers
            ↓
        Services
            ↓
        Models (Mongoose)
            ↓
        MongoDB

---

🔄 Authentication Flow

🪜 Login Flow

1. User sends login request
2. Access Token and Refresh Token are generated
3. Refresh token is hashed and stored in the database
4. A session is created with device and IP information

---

🔁 Token Refresh Flow

1. Client sends refresh token
2. Server verifies session and token
3. New access token is generated
4. New refresh token is issued (rotation)

---

🚪 Logout Flow

• Single device logout → specific session revoked
• Logout from all devices → all sessions revoked

---

🔢 OTP Flow

1. User requests OTP
2. Server generates OTP
3. OTP is sent via email
4. User verifies OTP to complete authentication

---

🛡️ Security Features

• JWT verification
• Refresh token hashing
• Session-based authentication
• Token rotation
• OTP verification
• Logout from all devices

---

🗂️ Folder Structure

project-root/
│
├── controllers/
├── models/
├── routes/
├── middlewares/
├── services/
├── utils/
├── config/
└── server.js

---

⚙️ Tech Stack

• Node.js
• Express.js
• MongoDB
• Mongoose
• JWT

---

📦 Installation

# Clone the repository
git clone https://github.com/yeasin-riyad/Advance-Authentication-System.git

# Install dependencies
npm install

# Run server
npm run dev

---

🔑 Environment Variables

Create a .env file:

PORT=5000
MONGO_URI=your_mongodb_uri
JWT_ACCESS_SECRET=your_access_secret
JWT_REFRESH_SECRET=your_refresh_secret
OTP_SECRET=your_otp_secret

---

🧪 API Example

➤ Login

POST /api/auth/login

{
  "email": "user@example.com",
  "password": "123456"
}

---

🌐 Live API

🚀 Base URL:

https://advance-backend-ledger.onrender.com

🔍 Example Request

POST https://advance-backend-ledger.onrender.com/api/auth/login

---

📌 Key Concepts Implemented

• Access & Refresh Token Strategy
• Token Rotation
• Session-Based Authentication
• OTP Verification System
• Secure Logout (Single + All Devices)

---

🎯 Future Improvements

• Redis for session storage
• Rate limiting & brute-force protection
• Social login (Google, Facebook)
• Multi-factor authentication (MFA)

---

💡 Author

Yeasin Mazumder

---

⭐ If you like this project, give it a star!