A full-stack authentication system built with NestJS (backend) and Next.js (frontend) featuring JWT authentication, session management, and multi-device support.
Backend:
- NestJS 11
- PostgreSQL
- TypeORM
- JWT Authentication
- bcryptjs
- Swagger API Documentation
Frontend:
- Next.js 15
- React 19
- TanStack Query
- Shadcn UI
- Tailwind CSS
- Zod Validation
- β User Registration & Login
- β JWT Access & Refresh Tokens
- β HttpOnly Cookie-based Authentication
- β Multi-device Session Management (Max 3 devices)
- β Token Blacklisting
- β Account Lockout (5 failed attempts, 15 min duration)
- β Device Tracking (IP, User-Agent, Platform)
- β Session Revocation (single & all devices)
- β Automatic Session Cleanup (Cron Jobs)
- β Environment Validation
- β Full TypeScript Support
- β Swagger API Documentation
- Node.js 20+
- PostgreSQL 14+
- pnpm (recommended) or npm
cd backendpnpm installCreate a .env file:
DB_HOST=localhost
DB_PORT=5432
DB_USERNAME=postgres
DB_PASSWORD=your_password
DB_NAME=mutual_funds_loan
JWT_SECRET=your-super-secret-jwt-key-at-least-32-characters-long
JWT_EXPIRATION=1h
JWT_REFRESH_EXPIRATION=7d
MAX_LOGIN_ATTEMPTS=5
LOGIN_BLOCK_DURATION=900
PORT=8000
NODE_ENV=developmentpsql -U postgres
CREATE DATABASE mutual_funds_loan;
\qpnpm run migration:run# Development mode
pnpm run start:dev
# Production mode
pnpm run build
pnpm run start:prodBackend will be running at: http://localhost:8000
Swagger Documentation: http://localhost:8000/api/docs
cd frontendpnpm installpnpm run devFrontend will be running at: http://localhost:3000
POST /auth/register- Register new userPOST /auth/login- Login userPOST /auth/logout- Logout current sessionPOST /auth/logout-all- Logout from all devicesPOST /auth/refresh- Refresh access tokenGET /auth/profile- Get user profile (protected)
GET /auth/sessions- Get active sessions (protected)DELETE /auth/sessions/:id- Revoke specific session (protected)POST /auth/cleanup/manual- Manual cleanup (protected)
- id, email, password, firstName, lastName, phone, panNumber
- isActive, loginAttempts, lockedUntil, lastLoginAt
- createdAt, updatedAt
- id, userId, sessionToken, refreshToken
- deviceInfo (JSON), ipAddress, userAgent
- isActive, expiresAt, lastAccessedAt, createdAt
- id, token, tokenType, reason, expiresAt, createdAt
- Password Hashing: bcrypt with 12 salt rounds
- JWT Tokens: Secure access & refresh tokens
- HttpOnly Cookies: Prevents XSS attacks
- Token Blacklisting: Invalidates revoked tokens
- Account Lockout: 5 failed attempts = 15 min lockout
- Session Limits: Max 3 concurrent sessions per user
- Automatic Cleanup: Cron jobs remove expired tokens/sessions
- Environment Validation: Ensures required config exists
- Every Hour: Cleanup expired blacklisted tokens
- Every 6 Hours: Cleanup expired sessions
- Daily (Midnight): Full cleanup of both tokens and sessions
- Start the backend server
- Navigate to http://localhost:8000/api/docs
- Register a new user via
/auth/register - Login via
/auth/loginto get tokens - Click "Authorize" and enter the access token
- Test protected endpoints
pnpm run build # Build for production
pnpm run format # Format code with Prettier
pnpm run lint # Lint code with ESLint
pnpm run migration:generate # Generate new migration
pnpm run migration:revert # Revert last migrationpnpm run build # Build for production
pnpm run start # Start production server
pnpm run lint # Check code with Biome
pnpm run format # Format code with Biome