Healthmint is a decentralized health-data marketplace on Ethereum (Sepolia) that connects patients, providers, and researchers for consent-driven, encrypted data sharing. It's a portfolio project demonstrating full-stack Web3 engineering (React/Redux + Node/Express + MongoDB + IPFS + a Solidity marketplace contract) and security awareness — I audited my own code, found six real vulnerabilities, and fixed each in a focused commit.
HIPAA-aware, not HIPAA-compliant. This project implements the patterns a compliant system needs (encryption, consent, access control, audit logging) but is not certified, audited, or production-defensible. See SECURITY.md for the self-audit write-up and an honest list of limitations.
- Securely upload and manage health records
- Set detailed access controls
- Share anonymized data
- Monetize data access
- Track access history
- Discover and filter health datasets
- Purchase data with ETH
- Showcase credentials
- Follow research ethics guidelines
- HIPAA-aware design (see SECURITY.md)
- Off-chain encryption-key custody (keys never touch the chain)
- Signed-nonce wallet authentication (EIP-191)
- Blockchain-verified transactions
- Explicit consent management
- Persistent, indexed audit log
- Frontend: React.js, Redux, Tailwind CSS, Web3.js/Ethers.js, MetaMask
- Backend: Node.js, Express, MongoDB Atlas, Web3Storage (IPFS), JWT, Winston
- Blockchain: Ethereum (Sepolia), Solidity, Truffle, OpenZeppelin
- Storage: Web3Storage (IPFS) + MongoDB Atlas metadata
- Auth: UCAN tokens, JWT
healthmint/ ├── client/ ├── contracts/ ├── migrations/ ├── server/ └── truffle-config.js
- Hybrid storage (MongoDB + IPFS)
- End-to-end encrypted file uploads
- Consent and audit management
- Secure authentication with JWT and UCAN
- Rate limiting, CORS protection, validation
| Category | Endpoints (examples) |
|-------------------|------------------------------------------|
| Authentication | `/api/auth/wallet/connect`, `/register` |
| Health Data | `/api/data/upload`, `/browse`, `/purchase`|
| Storage | `/api/storage/upload`, `/get/:id` |
| Users | `/api/users/profile`, `/settings`, `/access-log`|
| Tests | `/api/test/mongodb`, `/test/web3storage` |
- Node.js v16+
- MongoDB Atlas account
- Web3Storage account
- MetaMask
- Sepolia ETH
git clone https://github.com/EPW80/Healthmint.git
cd Healthmint
# Server Setup
cd server
npm install
cp .env.example .env # Fill in your environment variables
npm run dev
# Client Setup
cd ../client
npm install
cp .env.example .env # Fill in API URL and network IDs
npm start
npm install -g truffle
truffle compile
truffle migrate --network sepolia
node server/scripts/deploy.js
Connect MetaMask
Register as Patient or Researcher
Patients
Upload health records
Manage data sharing
View access history
Researchers
Browse and filter datasets
Purchase datasets
We welcome any contributions to the application.
git checkout -b feature/my-feature
git commit -m "Add feature"
git push origin feature/my-feature- Open a pull request
This was a deliberately surgical hardening pass. With more time, in rough priority order:
- Migrate IPFS pinning off the sunsetted Web3.Storage SDK to Pinata
(
web3.storage/@web3-storage/w3up-clientare effectively unmaintained). - Test footprint: Truffle contract tests (reentrancy on
purchaseData, access control, refund path, paused-state), Jest backend tests (auth bypass regression, audit-write, upload), and a single CI workflow. - Harden key custody — threshold/Shamir or a managed KMS instead of a single server-held KEK (see SECURITY.md).
- Modernize pinned deps (
ethersv5→v6,web3.js,crypto-js) — out of scope for a surgical pass, intentionally deferred. - Replace
console.*with the already-present Winston logger server-side and gate client logging behindNODE_ENV.
- MIT license
