A full-stack authentication flow using React (Vite + MUI), Node.js, and Express with OTP-based verification and JWT token management using cookies. This project uses in-memory storage (no database) for demonstration purposes.
AUTH-FLOW/
├── backend/
│ ├── controllers/
│ ├── middleware/
│ ├── routes/
│ ├── .env
│ ├── package.json
│ └── server.js
├── frontend/
│ ├── public/
│ ├── src/
│ ├── .env
│ ├── package.json
│ └── vite.config.js
git clone https://github.com/sharmaHarshit2000/auth-flow.git
cd auth-flowcd backend
npm installCreate a .env file:
PORT=5000
NODE_ENV=development
JWT_SECRET=your_access_token_secret
REFRESH_SECRET=your_refresh_token_secret
Start the backend:
npm run dev # or node server.jscd frontend
npm installCreate a .env file:
VITE_API_URL=http://localhost:5000/api
Start the frontend:
npm run dev- User signs up with name, email, mobile, and password.
- OTP is generated and printed to console (for testing).
- OTP is verified; user is marked as verified.
- User logs in with email/mobile and password.
- OTP is generated and printed.
- OTP verification sets JWT
accessTokenandrefreshTokenin cookies.
- OTP is a 6-digit number generated and stored in-memory.
- OTP is valid for 5 minutes and stored like:
{ identifier: { otp, expiresAt } }. - OTP is printed to the console for testing/demo.
- Tokens (
accessToken,refreshToken) are stored in HTTP-only cookies usingres.cookie(). - Secure and SameSite settings configured using:
const COOKIE_OPTIONS = {
httpOnly: true,
sameSite: "Strict",
secure: process.env.NODE_ENV === "production",
};accessTokenexpires in 10 minutes.refreshTokenexpires in 1 day.- On API 401 error,
refreshTokenis used to get a newaccessToken(handled in frontendaxiosinterceptor). - On refresh failure, user is redirected to login.
- React 19 + Vite 7
- MUI v7
- React Hook Form + Yup (validation)
- Axios + Interceptors
- React Router v7
- React Toastify
"scripts": {
"dev": "vite",
"build": "vite build",
"lint": "eslint .",
"preview": "vite preview"
}
- GitHub: sharmaHarshit2000