A centralized authentication and authorization system that manages user access across multiple applications with role-based permissions.
- User authentication (signup/login) across multiple applications
- Application-specific role-based access control (RBAC)
- JWT-based authentication
- Application management (register, update, delete applications)
- Flexible permission system per application
- Secure password hashing
- Input validation
- Cross-Origin Resource Sharing (CORS) support
- Node.js (v14 or higher)
- MongoDB (v4.4 or higher)
- npm or yarn package manager
- Clone the repository:
git clone <repository-url>
cd central-auth-system- Install dependencies:
npm install- Create a
.envfile in the root directory with the following variables:
PORT=5000
MONGODB_URI=mongodb://localhost:27017/central-auth
JWT_SECRET=your-super-secret-key-change-this-in-production
JWT_EXPIRES_IN=24h
- Start the server:
# Development mode
npm run dev
# Production mode
npm start-
POST /api/auth/signup- Register a new user{ "email": "[email protected]", "password": "password123", "firstName": "John", "lastName": "Doe", "appId": "application-id" } -
POST /api/auth/login- Login user{ "email": "[email protected]", "password": "password123", "appId": "application-id" } -
GET /api/auth/verify- Verify JWT token
-
POST /api/apps- Create new application (admin only){ "name": "My App", "description": "Application description", "allowedOrigins": ["http://localhost:3000"], "availableRoles": [ { "name": "admin", "description": "Administrator", "permissions": ["create", "read", "update", "delete"] } ] } -
GET /api/apps- Get all applications (admin only) -
GET /api/apps/:id- Get single application (admin only) -
PUT /api/apps/:id- Update application (admin only) -
DELETE /api/apps/:id- Delete application (admin only)
-
Register your application through the admin API to get
clientIdandclientSecret -
Add authentication to your application:
// Example using axios
const login = async (email, password) => {
const response = await axios.post('http://localhost:5000/api/auth/login', {
email,
password,
appId: 'your-app-id'
});
const { token } = response.data;
// Store token securely
localStorage.setItem('token', token);
};- Use the token for authenticated requests:
axios.defaults.headers.common['Authorization'] = `Bearer ${token}`;- Always use HTTPS in production
- Store JWT tokens securely
- Change the JWT secret in production
- Implement rate limiting
- Keep dependencies updated
- Monitor for security vulnerabilities
The API returns appropriate HTTP status codes and error messages:
- 200: Success
- 201: Created
- 400: Bad Request
- 401: Unauthorized
- 403: Forbidden
- 404: Not Found
- 500: Internal Server Error
- Fork the repository
- Create a feature branch
- Commit your changes
- Push to the branch
- Create a Pull Request
MIT License