Backend for a video-sharing platform with secure authentication (JWT access + refresh tokens), user profiles, and Cloudinary-powered media uploads.
- Backend: server/
- User auth
- Register with avatar and optional cover image
- Login, logout, refresh access token
- Change password
- Get current user
- Update account, update avatar, update cover image
- Watch history with populated owners
- Media uploads
- Multer saves to local temp (
public/temp) - Upload to Cloudinary via SDK, deletes temp files
- Multer saves to local temp (
- Utilities
- Centralized error and response helpers
- JWT-based auth middleware
- CORS and cookie support
Key files:
- App entry: server/src/index.js
- Express app: server/src/app.js
- Mongo connect: server/src/db/index.js
- Auth middleware: server/src/middlewares/auth.middleware.js
- Multer: server/src/middlewares/multer.middleware.js
- Cloudinary helper: server/src/utils/cloudinary.js
- User routes: server/src/routes/user.routes.js
- User controller: server/src/controllers/user.controller.js
- Models: server/src/models
- Node.js, Express
- MongoDB, Mongoose
- JWT, bcrypt, cookie-parser
- Multer, Cloudinary
- CORS, dotenv, nodemon
- Install dependencies
- Terminal (from server/)
npm install- Run
# Dev (auto-restart)
npm run dev
# Prod
npm startServer runs at http://localhost:${PORT}.
Base path: /api/v1/users
- POST /register
- form-data (multipart)
- text: fullname, email, username, password
- files: avatar (required), coverImage (optional)
- form-data (multipart)
- POST /login
- JSON: { email?: string, username?: string, password: string }
- Sets httpOnly cookies: accessToken, refreshToken
- POST /logout
- Auth required (Bearer header or cookies)
- POST /refresh-token
- Uses refreshToken cookie or body.refreshToken
- POST /change-password
- Auth required
- JSON: { oldPassword, newPassword }
- GET /current-user
- Auth required
- PATCH /update-account
- Auth required
- JSON: { fullName, email }
- PATCH /avatar
- Auth required
- form-data: avatar (file)
- PATCH /cover-image
- Auth required
- form-data: coverImage (file)
- GET /c/:username
- Auth required
- GET /history
- Auth required
Auth header format:
Authorization: Bearer <accessToken>- Register (multipart)
curl -X POST http://localhost:2001/api/v1/users/register \
-H "Accept: application/json" \
-F "fullname=John Doe" \
-F "email=john@example.com" \
-F "username=john" \
-F "password=secret" \
-F "avatar=@/path/to/avatar.jpg" \
-F "coverImage=@/path/to/cover.jpg"- Login (JSON)
curl -X POST http://localhost:2001/api/v1/users/login \
-H "Content-Type: application/json" \
-d '{"email":"john@example.com","password":"secret"}' \
-c cookies.txt -b cookies.txt- Get current user (with cookies)
curl http://localhost:2001/api/v1/users/current-user -c cookies.txt -b cookies.txtserver/
public/
temp/
src/
controllers/
db/
middlewares/
models/
routes/
utils/
app.js
index.js- Env loading is done at the top of server/src/index.js.
- Global error handler added in server/src/app.js to normalize failures.
- Token extraction fixed in server/src/middlewares/auth.middleware.js to accept cookie or Authorization header.
- Cloudinary uploader in server/src/utils/cloudinary.js uses resource_type:auto and deletes temp files safely.
-
MongoDB SRV ENOTFOUND
- Your DNS cannot resolve the Atlas SRV record. Check host in MONGODB_URL, flush DNS, try another network, whitelist IP in Atlas.
-
Cloudinary “Must supply api_key”
- Ensure .env keys exist and have no spaces. Verify
CLOUDINARY_*values log as present at startup. - Restart the server after editing .env.
- Ensure .env keys exist and have no spaces. Verify
-
Postman shows “Cannot GET /api/v1/users/login”
- The route is POST only. Use POST with JSON and
Content-Type: application/json.
- The route is POST only. Use POST with JSON and
-
req.body undefined on POST JSON
- Ensure
Content-Type: application/jsonheader is set soexpress.json()can parse it.
- Ensure
- Video endpoints (upload, list, get-by-id, update, delete, increment views)
- Subscriptions, likes, comments, playlists
- Email verification + password reset
- Rate limiting, helmet, input validation
MIT — see Licence.