Skip to main content

Authentication Module

The highly secure, stateless perimeter defending the Reshma-Core platform. Manages identity verification, session persistence, and cryptographic token issuance.

JWT Redis Zod


Overview

The Auth Module (src/modules/auth/) dictates how users enter and maintain their session. It is completely decoupled from the User model, focusing on behaviour, cryptographic validation, and session state.

It implements a strict OWASP‑compliant two‑token architecture to neutralise XSS and CSRF attacks. All routes are prefixed with /api/v1/auth and protected by a dedicated authLimiter (10 requests per hour per IP).


Architectural Layers

The module adheres to Separation of Concerns, isolating HTTP transport from business logic.

LayerFile(s)Responsibility
DTOsdtos/*.dto.ts (e.g., register.dto.ts, login.dto.ts)Zod schemas – input sanitisation, password strength, legal consent (acceptPrivacyPolicy).
Controllerauth.controller.tsHTTP boundary – receives validated payloads, calls service, issues tokens, sets HttpOnly cookies.
Serviceauth.service.tsCore logic – OTP generation, Redis interactions (caching & blacklist), Google OAuth verification, async notifications.
Utilsauth.utils.tsJWT signing, cookie configuration (sameSite, secure, httpOnly).

API Endpoint Specifications

All endpoints are rate‑limited by authLimiter (10 requests/hour/IP).

MethodEndpointAccessPurpose
POST/registerPublicCreates user with isEmailVerified: false, generates OTP (Redis TTL 10 min), queues email.
POST/verify-otpPublicValidates OTP, deletes it (replay protection), activates user, issues two‑token session.
POST/loginPublicVerifies credentials, checks isEmailVerified & isActive, issues session, updates lastLogin.
GET/refreshPublicAccepts HttpOnly refresh cookie, returns fresh access token.
GET/logoutProtectedBlacklists refresh token in Redis, clears cookie.
POST/googlePublicVerifies Google idToken, auto‑verifies email, merges unverified local accounts, issues native session.
POST/forgot-passwordPublicSends password reset link (token stored in Redis, 15 min TTL).
POST/reset-passwordPublicValidates token, updates password (bcrypt hashed), deletes token.

Core Business Logic Highlights

1. Safe Collision Recovery (UX)

If a user registers but never verifies their OTP, their account remains in a “limbo” state. If they register again with the same email, the system overwrites their credentials (name, password, phone) and issues a fresh OTP – no 409 Conflict. Prevents user frustration.

2. Redis State Management

PurposeRedis CommandTTL
OTP cachingSETEX otp:email 600 <otp>10 minutes
Token blacklistSETEX blacklist:token <remainingTTL> "revoked"Matches JWT expiry
Password reset tokenSETEX pwd_reset:<hash> 900 <userId>15 minutes

3. Two‑Token Pipeline

TokenLifespanStoragePurpose
Access Token15 minFrontend memory (React state)Authorises API requests. Destroyed on refresh.
Refresh Token7 daysHttpOnly, Secure, SameSite=Strict cookieSilent token renewal. Invisible to JavaScript – immune to XSS.

Security Dependencies

  • bcrypt – password hashing and verification.
  • crypto.randomInt – cryptographically secure OTP generation (not Math.random).
  • express-rate-limitauthLimiter distributed with Redis store.
  • google-auth-library – verification of Google idToken.

FilePurpose
src/modules/auth/auth.controller.tsHTTP layer.
src/modules/auth/auth.service.tsBusiness logic.
src/modules/auth/auth.routes.tsRoute definitions, middleware stacking.
src/modules/auth/auth.utils.tsToken signing, cookie management.
src/modules/auth/dtos/*.dto.tsZod validation schemas.
src/shared/middlewares/auth.middleware.tsprotect – JWT verification & user loading.
src/shared/middlewares/rate-limit.middleware.tsDistributed rate limiting (authLimiter).

See Also


The Reshma‑Core Team