- Student: Anton Paskanny.
- Mentor: Yaroslav Denisenko.
Six Cities is a service for travelers who don't want to overpay for accommodation rental. Choose one of six popular cities for travel and get an up-to-date list of rental offers.
This is a backend service for the "Six Cities" project. The main features include rental offer management, user authentication, comments system, and favorites functionality. The service provides both REST API and CLI interfaces.
src- Backend services (Node.js, TypeScript)shared- Shared libraries and utilitiesmocks- Mock data and server configuration
The project uses a modular architecture where each service handles a specific domain:
- REST API - Main application server with all endpoints
- CLI Application - Command-line interface for data management
- Database Services - MongoDB integration for data persistence
- File Services - File upload and management
- Authentication - JWT-based user authentication
The application includes comprehensive security measures to protect against common web vulnerabilities:
- Rate Limiting - Redis-based rate limiting system with different limits for different endpoint types:
- Public endpoints: 100 requests/minute per IP
- Authentication endpoints: 5 requests/minute per IP (prevents brute force attacks)
- File upload endpoints: 10 requests/minute per IP
- User API endpoints: 1000 requests/minute per authenticated user
- Security Headers - Helmet.js integration providing:
- X-Frame-Options (clickjacking protection)
- X-Content-Type-Options (MIME type sniffing protection)
- X-XSS-Protection (XSS protection)
- Content-Security-Policy (CSP)
- CORS Protection - Configurable cross-origin resource sharing with production/development modes
- Request Size Limits - Protection against large payload attacks (10MB limit)
- Input Validation - Comprehensive request validation using class-validator
- Authentication Middleware - JWT token validation and private route protection
- Caching System - Redis-based distributed caching with TTL management (Redis required; no in-memory fallback)
The application implements a Redis-based rate limiting system that provides enterprise-grade protection against abuse and DDoS attacks.
- Redis Storage: All rate limiting data is stored in Redis, ensuring persistence across application restarts
- Shared Infrastructure: Leverages existing Redis instance used for caching, providing efficient resource utilization
- Multi-Tier Protection: Different rate limits for different endpoint types based on security requirements
- User-Aware Limiting: Authenticated users get higher limits while maintaining security
| Endpoint Type | Rate Limit | Purpose | Security Benefit |
|---|---|---|---|
| Public APIs | 100 req/min | General API access | Prevents API abuse |
| Authentication | 5 req/min | Login/signup endpoints | Prevents brute force attacks |
| File Uploads | 10 req/min | Image and file uploads | Prevents storage abuse |
| User APIs | 1000 req/min | Authenticated user endpoints | High limits for legitimate users |
- Backend Framework: Node.js with Express
- Language: TypeScript
- Database: MongoDB
- Authentication: JWT-based
- File Handling: Multer for uploads
- Validation: class-validator for request validation
- Security: Helmet.js, express-rate-limit
- Caching: Redis (required)
- Documentation: Swagger/OpenAPI
- Testing: Jest
- User registration and JWT authentication
- Rental offer management (CRUD operations)
- City-based offer filtering
- Comments and reviews system
- Favorites functionality
- Premium offers highlighting
- File uploads for offer images
- Search and filtering capabilities
- Pagination and sorting
- CLI tools for data management
- Creating new rental offers
- Editing existing offers
- Deleting offers
- Getting list of rental offers
- Getting detailed offer information
- Getting list of comments for offers
- Adding comments to offers
- Creating new users
- User login to private area
- User logout from private area
- Checking user status
- Getting premium offers for cities
- Getting list of favorite offers
- Adding/removing offers to/from favorites
- RESTful API design with proper HTTP methods
- Modular architecture with clear separation of concerns
- Comprehensive error handling and validation
- CLI tools for data generation and management
- Full frontend integration provided for reference
The application has been enhanced with modern security practices to address common web vulnerabilities:
- DDoS Attacks - Rate limiting prevents resource exhaustion and abuse
- Brute Force Attacks - Low rate limits on authentication endpoints
- Clickjacking - X-Frame-Options header protection
- XSS Attacks - Security headers and input validation
- CSRF Attacks - CORS configuration and token validation
- File Upload Abuse - Rate limiting and size restrictions
- Information Disclosure - Security headers prevent sensitive data leakage
- Defense in Depth - Multiple layers of security controls
- Zero Trust - All requests are validated and rate-limited
- Secure by Default - Security features enabled out of the box
- Configurable Security - Environment-based security settings
- Monitoring Ready - Rate limit headers for observability
- OWASP Top 10 - Addresses major web application security risks
- Modern Web Standards - Implements current security best practices
- Production Ready - Enterprise-grade security features
The application supports environment-based configuration for security and deployment settings:
# Rate Limiting Configuration
RATE_LIMIT_WINDOW_MS=60000 # Time window in milliseconds
RATE_LIMIT_MAX_PUBLIC=100 # Public endpoint limit
RATE_LIMIT_MAX_AUTH=5 # Authentication endpoint limit
RATE_LIMIT_MAX_UPLOAD=10 # File upload limit
RATE_LIMIT_MAX_USER_API=1000 # User API limit
# Redis Configuration
REDIS_HOST=localhost # Redis server host
REDIS_PORT=6379 # Redis server port
REDIS_PASSWORD= # Redis server password (optional)
REDIS_DB=0 # Redis database number
# Security Configuration
NODE_ENV=development # Environment mode
HOST=localhost # Server host
PORT=4000 # Server port
JWT_SECRET=your-secret-key # JWT signing secret
SALT=your-salt-value # Password hashing salt
MAX_REQUEST_SIZE=10mb # Maximum request body size- Clone the repository
- Install dependencies:
npm install - Configure environment variables (see above)
- Start services with Docker Compose:
docker-compose -f docker-compose.dev.yml up -d
- Start development server:
npm run start:dev - Build for production:
npm run build
- MongoDB:
localhost:27017(Database) - Mongo Express:
localhost:8081(Database UI) - Redis:
localhost:6379(Cache & Rate Limiting) - Redis Commander:
localhost:8082(Cache UI) - API Server:
localhost:4000(REST API)
Create a .env file in the root directory with the configuration variables listed above, or use the default values provided in the configuration schema.
The repository was created for learning on the professional online course Node.js. REST API Design from HTML Academy.