Vibe Coding Lab - User Authentication and Registration System

Overview

This project implements a secure user authentication and registration system using NestJS, MongoDB, and JWT tokens. The system provides comprehensive security features including password hashing, multi-factor authentication support, rate limiting, and session management.

Features Implemented

✅ Core Authentication Features

• User Registration with email validation and password strength requirements
• Secure Login with JWT access and refresh tokens
• Token Refresh mechanism for seamless user experience
• Logout functionality with session invalidation
• Password Hashing using bcrypt with 12 salt rounds

✅ Security Features

• JWT Token Management with configurable expiration times
• Rate Limiting (5 attempts per 15 minutes per IP)
• Session Management with automatic cleanup
• Email Verification system (placeholder for future implementation)
• Multi-Factor Authentication support (placeholder for future implementation)
• Request Logging for security monitoring

✅ Business Rules Implemented

1. ✅ Passwords must be at least 8 characters with uppercase, lowercase, number, and special character
2. ✅ Email addresses must be unique across the system
3. ✅ JWT access tokens expire after 1 hour
4. ✅ Refresh tokens expire after 30 days
5. ✅ Failed login attempts are rate limited (5 attempts per 15 minutes per IP)
6. ✅ Email verification is required before full account access
7. ✅ MFA setup is optional but recommended
8. ✅ User sessions are automatically invalidated after 30 days of inactivity

API Endpoints

Authentication Endpoints

Request/Response Examples

Register User

Response:

Login User

Response:

Refresh Token

Response:

Logout

Response:

Data Models

User Model

UserSession Model

UserMFASettings Model

Project Structure

src/
├── auth/                          # Authentication module
│   ├── controllers/
│   │   └── auth.controller.ts     # Auth endpoints
│   ├── services/
│   │   └── auth.service.ts        # Business logic
│   ├── guards/
│   │   └── jwt-auth.guard.ts      # JWT authentication guard
│   ├── strategies/
│   │   └── jwt.strategy.ts        # Passport JWT strategy
│   ├── decorators/
│   │   ├── public.decorator.ts    # Public route decorator
│   │   └── current-user.decorator.ts # Current user decorator
│   ├── dto/                       # Data Transfer Objects
│   │   ├── register.dto.ts
│   │   ├── login.dto.ts
│   │   ├── refresh.dto.ts
│   │   └── auth-response.dto.ts
│   └── models/                    # Database models
│       ├── user.model.ts
│       ├── user-session.model.ts
│       └── user-mfa-settings.model.ts
├── core/                          # Core module
│   ├── filters/
│   │   └── http-exception.filter.ts # Global exception filter
│   ├── middleware/
│   │   └── request-logger.middleware.ts # Request logging
│   └── core.module.ts
├── shared/                        # Shared utilities
│   └── utils/
│       ├── password.utils.ts      # Password utilities
│       └── email.utils.ts         # Email utilities
└── main.ts                        # Application entry point

Environment Configuration

Create a

Installation and Setup

1. Install dependencies:

2. Set up environment variables:

3. Start MongoDB:

4. Run the application:

5. Access the API documentation:

   http://localhost:3000/api/docs
   

Development Commands

Security Features

Password Security

• Strength Requirements: Minimum 8 characters with uppercase, lowercase, number, and special character
• Hashing: bcrypt with 12 salt rounds
• Validation: Real-time password strength validation

Token Security

• Access Tokens: 1-hour expiration
• Refresh Tokens: 30-day expiration with session tracking
• Token Storage: Hashed refresh tokens in database
• Automatic Cleanup: Expired sessions are automatically removed

Rate Limiting

• Login Attempts: 5 attempts per 15 minutes per IP
• Global Rate Limiting: Applied to all endpoints
• Configurable: TTL and limits can be adjusted via environment variables

Session Management

• Device Tracking: IP address and device info logging
• Session Invalidation: Automatic logout on token refresh
• Cleanup: Expired sessions are automatically removed

Future Enhancements

Email Verification System

• Email verification tokens
• Resend verification emails
• Email templates

Multi-Factor Authentication

• TOTP (Time-based One-Time Password)
• Backup codes generation
• MFA setup and validation endpoints

Password Reset

• Password reset tokens
• Secure password reset flow
• Email notifications

Enhanced Security

• IP whitelisting
• Device fingerprinting
• Security event logging
• Account lockout mechanisms

Testing

The application includes comprehensive validation and error handling:

• Input Validation: All endpoints validate input using class-validator
• Error Handling: Global exception filter for consistent error responses
• Type Safety: Full TypeScript support with strict type checking
• API Documentation: Swagger/OpenAPI documentation at
  /api/docs

Contributing

1. Follow the established code style and patterns
2. Ensure all tests pass
3. Update documentation as needed
4. Follow security best practices

License

This project is part of the Vibe Coding Lab and follows the established coding standards and security practices.