Skip to content
/ RBAC Public
generated from OPCODE-Open-Spring-Fest/template

An extendable Role-Based Access Control (RBAC) authentication system with JWT, secure password hashing, and permission-based middleware. Built using Node.js, Express, and MongoDB under Opcode, IIIT Bhagalpur.

0 stars 13 forks Branches Tags Activity
Star

OPCODE-Open-Spring-Fest/RBAC

BranchesTags

Repository files navigation

RBAC (Role Based Access Control)

Repository for OpenSpringFest (OSF)

πŸ” RBAC Authentication System

A secure and extendable Role-Based Access Control (RBAC) authentication system built with Node.js, Express, and MongoDB.
This project is developed and maintained under Opcode, IIIT Bhagalpur πŸš€.

🌟 Features

  • βœ… User authentication with JWT
  • βœ… Refresh Token mechanism for persistent login
  • βœ… Secure password hashing (bcrypt)
  • βœ… Role-based access (Admin, User, Moderator, etc.)
  • βœ… Permission-based middleware for fine-grained access
  • βœ… Modular project structure for scalability
  • βœ… Ready for extension & contribution by the community

πŸ“‚ Project Structure

rbac-auth/
β”œβ”€β”€ src/
β”‚ β”œβ”€β”€ config/ # DB & environment configs
β”‚ β”œβ”€β”€ controllers/ # Request handlers
β”‚ β”œβ”€β”€ middlewares/ # Auth & RBAC middlewares
β”‚ β”œβ”€β”€ models/ # MongoDB schemas (User, Role, Permission)
β”‚ β”œβ”€β”€ routes/ # API routes
β”‚ β”œβ”€β”€ services/ # Business logic (auth, role mgmt)
β”‚ β”œβ”€β”€ utils/ # Helper functions
β”‚ └── index.js # Entry point
β”œβ”€β”€ tests/ # Unit & integration tests
β”œβ”€β”€ .env.example # Sample environment variables
β”œβ”€β”€ .gitignore
β”œβ”€β”€ package.json
└── README.md

πŸš€ Getting Started

1️⃣ Clone the Repository

git clone https://github.com/<your-org>/rbac-auth.git
cd rbac-auth

2️⃣ Install Dependencies

npm install

3️⃣ Setup Environment

Create a .env file in the root directory with the following variables:

# Server Configuration
PORT=5000

# Database Configuration
MONGO_URI=mongodb://localhost:27017/rbac
JWT_SECRET=your-secret-key
RESEND_API_KEY=your-resend-api-key

πŸ”‘ Note: The RESEND_API_KEY can be obtained by creating an account on Resend Mail
 and generating an API key.

4️⃣ Run the Project

npm run dev

5️⃣ Seed the Database

Before using the application, seed the database with default roles and permissions:

node src/seed/seedRoles.js

πŸ”Œ API Endpoints

Authentication Endpoints

Method Endpoint Description Body
POST /api/auth/register Register a new user {username, email, fullname, password}
POST /api/auth/login Login user {email, password}
POST /api/auth/refresh Refresh access token {refreshToken}
POST /api/auth/logout Logout user {refreshToken}

Role Management Endpoints

Method Endpoint Description Auth Required
GET /api/roles Get all roles Yes
POST /api/roles Create new role Yes
GET /api/roles/:id Get role by ID Yes
PUT /api/roles/:id Update role Yes
DELETE /api/roles/:id Delete role Yes
PUT /api/roles/:id/permissions Assign permissions to role Yes

Permission Management Endpoints

Method Endpoint Description Auth Required
GET /api/permissions Get all permissions Yes
POST /api/permissions Create new permission Yes
GET /api/permissions/:id Get permission by ID Yes
PUT /api/permissions/:id Update permission Yes
DELETE /api/permissions/:id Delete permission Yes

RBAC Test Endpoints

Method Endpoint Description Auth Required
GET /api/rbac-test/admin-only Admin only access Yes (Admin role)
GET /api/rbac-test/user-only User only access Yes (User role)

πŸ”„ Authentication Flow

Login Flow

  1. User sends credentials to /api/auth/login
  2. Server validates credentials
  3. Server generates both access token (short-lived) and refresh token (long-lived)
  4. Both tokens are returned to client

Token Refresh Flow

  1. When access token expires, client sends refresh token to /api/auth/refresh
  2. Server validates refresh token
  3. Server generates new access token
  4. New access token is returned to client

Logout Flow

  1. Client sends refresh token to /api/auth/logout
  2. Server invalidates the refresh token in database
  3. Client should discard both tokens

πŸ”„ System Flows

πŸ”‘ Authentication Flow

User signs up β†’ password hashed β†’ stored in DB

User logs in β†’ JWT issued

JWT validated for protected routes

RBAC middleware checks user role/permission

πŸ›‚ Role & Permission Flow

Admin can create roles and assign permissions

Users get assigned roles

Middleware checks role/permission before accessing API

πŸ›  Contribution Guide

We ❀️ contributions! Follow these steps to get started:

Fork the repository

Create a branch (feature/auth-flow, fix/bug-x)

Commit changes (use clear, descriptive messages)

Push your branch

Open a Pull Request πŸš€

βœ… Contribution Hints

Keep PRs small & focused

Follow coding style (ESLint + Prettier recommended)

Add tests when introducing new features

Use issues to discuss before large changes

πŸ“Œ Hints for Contributors

πŸ”’ Always hash passwords before storing

πŸ”‘ Use JWT for stateless authentication

πŸ›‚ Centralize RBAC logic in middlewares

🧩 Keep business logic in services, not controllers

πŸ“š Write meaningful commit messages

🀝 Community

This project is part of Opcode, IIIT Bhagalpur. Maintainers will review PRs, suggest changes, and merge contributions. Use Issues to report bugs or suggest features.

πŸ“œ License

This project is licensed under the MIT License. You’re free to use, modify, and distribute this project with attribution.

About

An extendable Role-Based Access Control (RBAC) authentication system with JWT, secure password hashing, and permission-based middleware. Built using Node.js, Express, and MongoDB under Opcode, IIIT Bhagalpur.

Topics

hacktoberfest opcode devc open-spring-fest iiitbh type-medium opcode2025

Resources

Readme

Code of conduct

Code of conduct
Activity
Custom properties

Stars

0 stars

Watchers

0 watching

Forks

13 forks
Report repository

Releases

No releases published

Packages

No packages published

Contributors 12

Languages