A RESTful API for a Role-Based Access Control system where permissions to perform certain tasks can be granted to users by assigning them specific roles. Here we don't have to manage permissions for every user. Instead, we have to create roles, map permissions with them, and then assign those roles to users. All the users who have been assigned a specific role inherit all the permissions mapped to it.
This project is built using Express.js and MongoDB; all the APIs are well-documented using Swagger specification. User authentication has been implemented via JSON Web Tokens and the project is deployed on a DigitalOcean Droplet using Nginx as a web server.
I have hardcoded a total of 14 permissions that are shared differently between 3 roles - Viewer, Moderator and Admin. Users are allowed to perform certain tasks based on the role they are assigned. Users who haven't been assigned a role don't have any permissions, so they can't perform any task.
This table encapsulates the relationship between different permissions and roles.
| Permissions | Viewer | Moderator | Admin |
|---|---|---|---|
| View user | Yes | Yes | Yes |
| Assign role to user | No | Yes | Yes |
| Unassign role from user | No | Yes | Yes |
| Activate user | No | Yes | Yes |
| Deactivate user | No | Yes | Yes |
| Archive user | No | Yes | Yes |
| Restore archived user | No | Yes | Yes |
| Delete user | No | Yes | Yes |
| View role | Yes | Yes | Yes |
| Add new role | No | No | Yes |
| Update role | No | No | Yes |
| Delete role | No | No | Yes |
| Activate role | No | No | Yes |
| Deactivate role | No | No | Yes |
This project is deployed on a DigitalOcean Droplet and linked to a custom domain. To visit the live deployment, click here.
APIs are documented using Swagger (OpenAPI) specification and all of them are live and functional. To view Swagger docs, click here. Select RBAC production server in the dropdown menu and play with any API.
Postman is used to prototype, develop and test API endpoints. It is also used to document those APIs. To view Postman docs, click here.
- Authentication using JSON Web Tokens (signup, login, reset password)
- Authorization based on roles and permissions of a user
- Database modelling using various Mongoose schemas
- Applied filters, sorting and pagination on Mongoose documents
- APIs are deployed on a DigitalOcean Droplet using Nginx as a web server
- Configured PM2 to keep the API server running as a daemon process to ensure availability
- Utilized the cluster module to evenly distribute incoming requests across all CPU cores in the server
- APIs are documented using Swagger (OpenAPI) specification
- Validation of request payload using Joi library
- Logging of HTTP requests using Morgan
- Separate loggers for development and production environments
- Parsing of multipart/form-data using Formidable library
- Upload and delete images using Cloudinary APIs
- Ability to send emails using Nodemailer
- Setup routing using Express middlewares
- Centralized error handling using Express middlewares
- Project is based on MVC architecture
- Used Postman to prototype, develop, test and document APIs
This project consists of 2 schemas and 25+ routes and controllers.
| Action | Method | Route | Access Requirements |
|---|---|---|---|
| Signup | POST | /auth/signup | None |
| Login | POST | /auth/login | None |
| Logout | POST | /auth/logout | Authentication |
| Forgot password | POST | /auth/password/forgot | None |
| Reset password | PUT | /auth/password/reset/:token | None |
| Action | Method | Route | Access Requirements |
|---|---|---|---|
| Retrieve profile | GET | /users/self | Authentication |
| Update profile | PUT | /users/self | Authentication |
| Delete account | DELETE | /users/self | Authentication |
| Add profile photo | POST | /users/self/avatar | Authentication |
| Remove profile photo | PUT | /users/self/avatar | Authentication |
| Update profile photo | POST | /users/self/avatar/update | Authentication |
| Retrieve users | GET | /users | Authentication |
| Retrieve user by ID | GET | /users/:userId | Authentication + Authorization |
| Delete user | DELETE | /users/:userId | Authentication + Authorization |
| Assign role to user | PUT | /users/:userId/role/assign | Authentication + Authorization |
| Unassign role from user | PUT | /users/:userId/role/unassign | Authentication + Authorization |
| Activate user | PUT | /users/:userId/activate | Authentication + Authorization |
| Deactivate user | PUT | /users/:userId/deactivate | Authentication + Authorization |
| Archive user | PUT | /users/:userId/archive | Authentication + Authorization |
| Restore archived user | PUT | /users/:userId/restore | Authentication + Authorization |
| Action | Method | Route | Access Requirements |
|---|---|---|---|
| Retrieve all roles | GET | /roles | Authentication |
| Add new role | POST | /roles | Authentication + Authorization |
| Retrieve role by ID | GET | /roles/:roleId | Authentication + Authorization |
| Update role | PUT | /roles/:roleId | Authentication + Authorization |
| Delete role | DELETE | /roles/:roleId | Authentication + Authorization |
| Activate role | PUT | /roles/:roleId/activate | Authentication + Authorization |
| Deactivate role | PUT | /roles/:roleId/deactivate | Authentication + Authorization |