A backend-focused academic project demonstrating core Zero Trust authentication principles using Node.js, Express.js, JWT, bcrypt password hashing, protected routes and role-based access control.
This project was created to practice secure API access, token-based authentication and least privilege authorization logic.
The main goal of this project is to show how a backend API can protect private resources using Zero Trust principles:
- never trust requests by default;
- require authentication for protected data;
- validate JWT tokens on every protected request;
- restrict access based on user roles;
- use short session expiration;
- protect admin-only resources from regular users.
- User registration
- User login
- Password hashing with bcryptjs
- JWT token generation
- Token expiration after 10 minutes
- Protected route access
- Admin-only route access
- Role-based access control
- Middleware for token validation
- Basic CORS support
- In-memory user storage for academic demonstration
- Node.js
- Express.js
- JSON Web Token
- bcryptjs
- CORS
POST /registerRequest body:
{
"username": "testuser",
"password": "test123"
}Response:
{
"message": "Registered successfully"
}POST /loginRequest body:
{
"username": "admin",
"password": "admin123"
}Response:
{
"message": "Login successful",
"token": "jwt_token_here",
"role": "admin"
}GET /protectedRequires:
Authorization: Bearer <token>Response:
{
"message": "You are inside protected data",
"user": {
"id": 1,
"username": "admin",
"role": "admin"
}
}GET /adminRequires an admin JWT token.
Regular users receive:
{
"error": "Forbidden"
}GET /accountRequires a valid JWT token.
The API was tested locally through PowerShell requests.
Confirmed behavior:
- Admin can log in successfully.
- Admin receives a JWT token.
- Protected route works only with a valid token.
- Admin route works only for users with the
adminrole. - Regular users cannot access the admin route.
- Regular users receive
Forbiddenwhen trying to access/admin.
Go to the backend folder:
cd backendInstall dependencies:
npm installStart the server:
node server.jsThe backend will run on:
http://localhost:5000
$login = Invoke-RestMethod `
-Method POST `
-Uri http://localhost:5000/login `
-ContentType "application/json" `
-Body '{"username":"admin","password":"admin123"}'
$token = $login.tokenInvoke-RestMethod `
-Method GET `
-Uri http://localhost:5000/protected `
-Headers @{ Authorization = "Bearer $token" }Invoke-RestMethod `
-Method GET `
-Uri http://localhost:5000/admin `
-Headers @{ Authorization = "Bearer $token" }Username: admin
Password: admin123
Role: admin
This is an academic demonstration project. For production use, the following improvements are required:
- move JWT secret to environment variables;
- add
.env.example; - use a real database instead of in-memory storage;
- improve validation;
- add refresh token logic;
- add rate limiting;
- add request logging;
- add HTTPS deployment;
- add automated tests.
This project is functional as a backend authentication API demo. It is not a full-stack application. The focus is on backend authentication, JWT validation, protected routes and role-based access control.