The AuthService class is a comprehensive authentication and user management service for a Node.js/Express/Mongoose-based application. It provides features for user registration, authentication, session management, profile updates, password/email changes, role-based access control, and more.
-
User Authentication Flows
- Signup with email verification (OTP).
- Signin with password validation.
- Google OAuth integration.
- JWT-based access and refresh tokens.
-
Session Management
- Secure, HTTP-only cookies for tokens.
- Session storage and validation in both MongoDB and Redis.
- Session invalidation on password/email changes and signout.
-
Profile and Settings
- Profile retrieval and selective updates.
- Avatar upload with Cloudinary.
- Address and feedback management.
-
Account Security
- Password hashing and validation.
- Verification for sensitive operations (email/password changes).
- Role-based access control (
restrictTomiddleware).
-
Admin/User Utilities
- Paginated user fetching with query, filter, sort, and field selection.
-
Sensitive Data Handling
- Passwords never returned in responses.
- Sessions protected with signed cookies and HMAC hashing.
- Sessions and tokens invalidated when credentials are changed.
-
Validation/Verification
- OTP for signup and email update.
- Password validation for password/email change.
- Role checks for restricted endpoints.
-
Session Storage
- Sessions stored in Redis (for fast validation) and MongoDB (for persistence).
-
Email Operations
- Secure email operations for verification and updates.
- Generic User Model
AuthService<T extends IUser>: Can be reused for different user schemas.
- Utilizes Utility Classes
- Utility functions (OTP, JWT, encryption) are abstracted for maintainability.
- Configurable Providers
- Swappable providers for Redis, Cloudinary, config, and email.
| Functionality | Method Name(s) |
|---|---|
| Signup/Auth | signup, signin, googleAuth |
| Token/Session | createSession, refreshToken, validateToken, requireAuth, signout, signoutSession, signoutAllSession |
| Profile Management | getProfile, updateProfile, getProfileFields, updateSettings |
| Security Updates | updatePassword, requestEmailUpdate, updateEmail |
| User Data | getUsers, updateAddresses, deleteAddresses, updateFeedback, getSessions |
| Access Control | restrictTo |
- Async Error Handling: All methods use a catchAsync utility for unified error management.
- Separation of Concerns: Service logic is separated from utility functions and configuration.
- Scalability: Bulk user operations are paginated and filterable.
- Security: Session invalidation, RBAC, token integrity, and consistent validation.
- Add Rate Limiting: Protect endpoints like signup and signin.
- Enhanced Logging: Integrate more granular logging for security events.
- Input Validation: Ensure all inputs are validated (ideally in route middleware).
- Testing: Add comprehensive tests for all critical flows.
graph TD
A[User] -->|Signup| B(AuthService.signup)
B -->|Verify OTP| C(AuthService.verifyEmail)
A -->|Signin| D(AuthService.signin)
D --> E[Session Created]
A -->|Google OAuth| F(AuthService.googleAuth)
A -->|Change Password| G(AuthService.updatePassword)
A -->|Change Email| H(AuthService.requestEmailUpdate)
H -->|Verify Link| I(AuthService.updateEmail)
A -->|Profile Update| J(AuthService.updateProfile)
A -->|Signout| K(AuthService.signout)
A -->|Get Sessions| L(AuthService.getSessions)
| Feature | MongoDB | Redis | Cloudinary | Security | |
|---|---|---|---|---|---|
| Signup/Verify | ✓ | - | - | ✓ | ✓ |
| Signin/Session | ✓ | ✓ | - | - | ✓ |
| Google Auth | ✓ | ✓ | - | - | ✓ |
| Password Reset/Change | ✓ | ✓ | - | - | ✓ |
| Email Update | ✓ | ✓ | - | ✓ | ✓ |
| Profile Update | ✓ | ✓ | ✓ | - | ✓ |
| Feedback/Addresses | ✓ | - | - | - | ✓ |
| RBAC | - | - | - | - | ✓ |
The AuthService class is a robust foundation for authentication and user management in a modern Node.js application. It follows best practices for security, extensibility, and maintainability, and is designed to scale and adapt as requirements evolve.