This project demonstrates a secure authentication system using JWT (access + refresh tokens) with blacklist support for logout.
It includes:
- Signup & Login functionality
- Get profile protected route functionality
- JWT access token with expiry
- Refresh token system using
httpOnlycookie - Token blacklist on logout (to prevent reuse)
- Protected route example (
/profile) - MongoDB for user and blacklist token storage
- Node.js
- Express.js
- MongoDB + Mongoose
- JWT (jsonwebtoken)
- bcrypt
- dotenv
- cookie-parser
- CORS
| Feature | Description |
|---|---|
POST /auth/signup |
Register a new user |
POST /auth/login |
Authenticate user and return access + refresh token |
POST /auth/logout |
Invalidate current access token by blacklisting it |
POST /auth/refresh-token |
Generate new access token using refresh token stored in httpOnly cookie |
GET /auth/profile |
Access protected route (requires valid access token) |
-
Signup/Login
β€ Save theaccess tokenin localStorage (frontend)
β€refresh tokenis auto-set inhttpOnlycookie -
Access Protected Route
β€ Passaccess tokeninAuthorization: Bearer <token>header -
On Expired Access Token
β€ Call/auth/refresh-tokento get a new access token
β€ Replace old access token in localStorage -
Logout
β€ Calls/auth/logoutand blacklists the current token
Developed by @jeevan42 π₯
Feel free to fork & use!