Skip to main content

Glossary

Definitions of key terms, acronyms, and domain concepts used across the Reshma‑Core platform.

Domain Architecture Standards


How to Use This Glossary

  • Terms are listed in alphabetical order.
  • Cross‑references point to other glossary entries or relevant API module docs.
  • Acronyms are expanded on first use.

A

Access Token
Short‑lived JWT (15 minutes by default) used to authenticate API requests. Sent in the Authorization: Bearer header. Stored in memory (React state) – never in localStorage. See Authentication Guide.

ACID
Atomicity, Consistency, Isolation, Durability. MongoDB supports ACID transactions across multiple documents/collections. Used in checkout, account deletion, and return processing.

Admin
User role (role: "ADMIN") with full system privileges – can access admin endpoints, view dashboard metrics, dispatch orders, and arbitrate returns.

AppError
Custom error class used throughout the backend. All errors thrown via AppError are caught by the global error handler and formatted into the standard error response.

AWB
Airway Bill – unique tracking number generated by Shiprocket for a shipped order.


B

BaseProduct
The root Mongoose model for the polymorphic product catalog. All product types (BANGLE, APPAREL, FABRIC, INNERWEAR, ACCESSORY) inherit from BaseProduct.

bcrypt
Password hashing library used to hash user passwords with 12 salt rounds. The comparePassword instance method verifies login credentials.

BullMQ
Redis‑based job queue for background tasks: email sending, PDF invoice generation, search index synchronisation, data export.


C

Cart
User’s shopping cart. Prices are not stored – they are populated live from the product catalog to prevent stale data. See Cart Module.

Checkout
The process of converting a cart into an order. Uses an ACID transaction to validate stock, reserve inventory, and create a Razorpay order.

Cloudinary
Cloud image hosting service. Product images and user avatars are uploaded directly from memory buffers, converted to WebP, and served via CDN.

CodeQL
GitHub’s static analysis tool that scans for security vulnerabilities (e.g., NoSQL injection, log injection, rate‑limiting bypass). The codebase is hardened to pass CodeQL checks.

Coupon
Promotional discount code. Supports FLAT (fixed amount) and PERCENTAGE (percentage off) types. Validated against minimum cart value, expiry date, and usage limits. See Coupons Module.

CWE
Common Weakness Enumeration – a list of software vulnerability types. The codebase explicitly mitigates CWE‑20 (input validation), CWE‑77 (command injection), CWE‑117 (log injection), CWE‑285 (authorization), CWE‑400 (resource exhaustion), CWE‑770 (rate limiting), CWE‑943 (NoSQL injection).


D

Dashboard
Admin‑only analytics page showing revenue, order fulfillment, top‑selling products, inventory alerts, and pending support tickets. Uses MongoDB $facet aggregation pipelines.

Dead Letter Queue (DLQ)
BullMQ queue for jobs that failed after all retries. Used for Typesense sync failures and email delivery errors.

Discriminator (Mongoose)
A mechanism for single‑collection polymorphism. The Products collection stores all product types; each type has its own schema with required fields (bangleSizes, cupSizes, etc.).

DPDP
Digital Personal Data Protection Act (India’s privacy law). The platform supports Right to be Forgotten (account deletion) and Right to Access (data export).


E

Environment Variables
Configuration values stored in .env file and validated at startup by src/config/env.ts using Zod. Missing or invalid variables cause the server to exit immediately (fail‑fast).

Express
Node.js web framework. The API uses Express 5.x with middleware for rate limiting, authentication, validation, and logging.


F

$facet
MongoDB aggregation stage that runs multiple pipelines in parallel. Used in the dashboard to compute financials, fulfillment distribution, and top products in a single query.

Fail‑Fast
Boot philosophy: if any required environment variable is missing or invalid, the server crashes immediately with a descriptive error – never runs in an insecure state.


G

GDPR
General Data Protection Regulation (EU privacy law). The platform’s privacy engine (anonymisation, data export) is designed to comply with both DPDP and GDPR.

Google OAuth
Social login integration. Users can sign in with Google; their account has authProvider: "GOOGLE" and no password.

GST
Goods and Services Tax (Indian tax system). Orders calculate CGST, SGST, or IGST based on shipping address. Tax rates are stored per product (hsnCode, taxProfile).


H

Health Check
GET /api/v1/health endpoint that verifies connectivity to MongoDB, Redis, and Typesense. Used by load balancers (AWS ELB, Kubernetes) for liveness/readiness probes.

Helmet
Express middleware that sets secure HTTP headers (X‑Frame‑Options, X‑XSS‑Protection, etc.) to prevent common web vulnerabilities.

HMAC
Hash‑based Message Authentication Code – used to verify Razorpay webhook signatures. Prevents forged payment notifications.

HttpOnly
Cookie flag that makes the cookie inaccessible to JavaScript. The refresh token is stored in an HttpOnly cookie to prevent XSS theft.


I

IDOR
Insecure Direct Object Reference – a vulnerability where a user accesses another user’s data by changing an ID. Mitigated by ownership checks (e.g., order.user === req.user._id).

Interaction
Generic term for product reviews (REVIEW) and threaded comments (COMMENT). Supports upvoting/downvoting. See Interactions Module.

isActive
Soft‑delete flag on products and users. When false, the product is hidden from public catalog; the user cannot log in.


J

JWT
JSON Web Token – used for authentication. The platform implements a two‑token architecture: short‑lived access token (Bearer) and long‑lived refresh token (HttpOnly cookie).


L

Lazy Initialization
Creating a resource only when it is first needed. Used for wishlist documents – a new user has no wishlist document until they add their first item.

Linked Entity
Polymorphic association in support tickets. A ticket can link to an ORDER, PRODUCT, or RETURN. The service verifies ownership before creation (IDOR protection).


M

MongoDB
NoSQL document database. Used for all persistent data (users, products, orders, etc.). Supports ACID transactions and geospatial queries.

Mongoose
ODM (Object Document Mapper) for MongoDB. Provides schema validation, middleware (pre‑save hooks), and discriminators.

Multer
Middleware for handling multipart/form-data file uploads. Images are stored in memory as buffers and streamed directly to Cloudinary (no disk write).


N

Nodemailer
Email sending library. Used with SMTP (e.g., Gmail) to send transactional emails (OTP, order confirmations, password reset). Emails are queued via BullMQ.

NoSQL Injection
Attack where malicious query operators (e.g., { "$ne": null }) are injected into request parameters. Mitigated by Zod validation and using $eq in queries.

Notification
In‑app alert stored in the database. Created for order status changes, support replies, security events, and data export completions. See Notifications Module.


O

ObjectId
MongoDB’s 12‑byte unique identifier (24 hex characters). Validated by Zod regex /^[0-9a-fA-F]{24}$/ to prevent NoSQL injection.

Order
Snapshot of a completed checkout. Contains frozen product data (price, tax, name) at the time of purchase – never changes. See Orders Module.

OTP
One‑Time Password – 6‑digit code sent via email for verification (email verification, password change). Stored in Redis with 10‑minute TTL; deleted after use.


P

Polymorphic Linking
A single field (linkedEntity) that can reference different entity types (ORDER, PRODUCT, RETURN). Achieved by storing entityType + entityId.

Product Types
The five polymorphic categories: BANGLE, APPAREL, FABRIC, INNERWEAR, ACCESSORY. Each has required fields (e.g., bangleSizes, cupSizes).

protect
Express middleware that verifies the JWT access token and attaches req.user. Applied to all private routes.


Q

Queue
See BullMQ.


R

Rate Limiting
Throttling requests per IP using express-rate-limit with Redis store. Global: 100/15min; Auth: 10/hour; Checkout: 5/hour; Health: 3000/15min.

Razorpay
Indian payment gateway. Integrated for order payments, refunds, and webhook verification.

RBAC
Role‑Based Access Control. Endpoints use restrictTo("ADMIN") to block standard users from admin routes.

Redis
In‑memory data store. Used for rate limiting counters, OTP storage, BullMQ queues, and distributed locks.

Refresh Token
Long‑lived JWT (7 days) stored in an HttpOnly cookie. Used to obtain new access tokens without re‑login. Blacklisted on logout.

restrictTo
Middleware that checks req.user.role against allowed roles. Used after protect to enforce RBAC.

Return
RMA (Return Merchandise Authorization) request. Follows state machine: PENDING_APPROVALAPPROVED/REJECTEDREFUNDED. See Returns Module.


S

Saga
Distributed transaction pattern. Account deletion uses a saga across Cart, Wishlist, Orders, Returns, Support, and User deletion – all wrapped in a MongoDB transaction.

Self‑Healing
Automatic cleanup of stale data. Wishlist endpoint removes products that are inactive or deleted (ghost items) on every read.

Shiprocket
Indian logistics aggregator. Integrated for order dispatch, AWB generation, and delivery tracking webhooks.

SLA
Service Level Agreement – for support tickets: responses must respect state machine (OPENIN_PROGRESSWAITING_ON_CUSTOMER → etc.). Closed tickets cannot be revived.

SMTP
Simple Mail Transfer Protocol – used by Nodemailer to send emails.

standardLimiter
Global rate limiter applied to all routes (100 requests per 15 minutes). See Rate Limiting Guide.

Step‑Up Authentication
Requiring both OTP and current password to change a password. Prevents session hijacking.

Support Ticket
Customer inquiry with threaded conversation. Has status (OPEN, IN_PROGRESS, WAITING_ON_CUSTOMER, RESOLVED, CLOSED) and priority (LOW, MEDIUM, HIGH, CRITICAL). See Support Module.


T

TicketId
Human‑readable ticket identifier (e.g., TCK-9A4B2). Generated automatically by a pre‑save hook using crypto.randomBytes(4).

Two‑Token Architecture
Security design using short‑lived access tokens (Bearer header) and long‑lived refresh tokens (HttpOnly cookie). See Authentication Guide.

Typesense
RAM‑based search engine. Provides typo‑tolerant (num_typos: 2), faceted search with sub‑50ms latency.


U

User
Core identity entity. Stores profile, addresses, preferences, and loyalty points. Supports LOCAL (email/password) and GOOGLE authentication providers.


V

Validation (Zod)
All request payloads (body, query, params) are validated using Zod schemas. .strict() rejects extra fields, preventing mass assignment.


W

Webhook
HTTP callback from external services (Razorpay, Shiprocket). Verified using HMAC signatures or API keys. Updates order status and payment state.

Winston
Logging library. Writes JSON logs to rotating files and console. Used for HTTP request logging (Morgan integration) and application logs.

Wishlist
User’s saved products. Implemented as a separate collection (not embedded in User) with a hard capacity limit of 100 items. Self‑healing removes inactive products.


X

XSS
Cross‑Site Scripting – injection of malicious scripts. Mitigated by storing access tokens in memory (not localStorage) and using HttpOnly cookies for refresh tokens.


Y

(No terms)


Z

Zod
TypeScript‑first schema validation library. Used to validate environment variables, request bodies, query parameters, and URL params. Provides type inference and runtime validation.



Glossary v1.0 – Last updated: May 2026