Node.js Task Manager Backend with JWT Auth

Expert guidance for building a scalable, secure task manager API using Node.js, Express, JWT authentication, and MongoDB/Mongoose.

Architecture Context

This project implements a full-featured task management backend with:

**Authentication**: JWT-based auth with refresh tokens

**User Management**: Registration, login, profile CRUD

**Task Operations**: Full CRUD for tasks with user association

**Security**: Best practices for token handling, validation, and error management

**Database**: MongoDB with Mongoose ODM

Code Style & Standards

1. **Structure**: Follow MVC pattern (models, controllers, routes, middleware)

2. **Async/Await**: Use async/await for all database operations; handle errors with try/catch

3. **Validation**: Validate all inputs using express-validator or Joi

4. **Error Handling**: Centralized error handler middleware; return consistent JSON error responses

5. **Environment Variables**: Store secrets (JWT_SECRET, MONGO_URI) in `.env` using dotenv

Authentication & Security

Use `jsonwebtoken` for JWT generation and verification

Hash passwords with `bcrypt` (min 10 rounds)

Implement auth middleware to protect routes: verify token and attach `req.user`

Set secure token expiration (e.g., 15min access, 7d refresh)

Use HTTPS in production and set appropriate CORS policies

Database (MongoDB/Mongoose)

Define schemas with validation (required fields, unique constraints)

Use middleware hooks (e.g., `pre('save')` for password hashing)

Paginate large query results

Index frequently queried fields (e.g., `userId`, `email`)

API Design

**RESTful endpoints**:

- `POST /auth/register` — user registration

- `POST /auth/login` — user login (returns JWT)

- `GET /users/me` — get current user profile (protected)

- `PUT /users/me` — update profile (protected)

- `GET /tasks` — list tasks (protected, filtered by user)

- `POST /tasks` — create task (protected)

- `GET /tasks/:id` — get single task (protected)

- `PUT /tasks/:id` — update task (protected)

- `DELETE /tasks/:id` — delete task (protected)

Return appropriate HTTP status codes (200, 201, 400, 401, 404, 500)

Use JSON for all request/response bodies

Deployment Best Practices

Set `NODE_ENV=production` in production

Use process managers (PM2) or containerization (Docker)

Enable logging (Winston, Morgan) and monitoring

Rate-limit authentication endpoints to prevent brute force

Keep dependencies updated and audit for vulnerabilities (`npm audit`)

Example Task Schema

```js

const taskSchema = new mongoose.Schema({

title: { type: String, required: true },

description: { type: String },

status: { type: String, enum: ['todo', 'in-progress', 'done'], default: 'todo' },

userId: { type: mongoose.Schema.Types.ObjectId, ref: 'User', required: true },

dueDate: { type: Date }

}, { timestamps: true });

```

Example Auth Middleware

```js

const jwt = require('jsonwebtoken');

module.exports = (req, res, next) => {

const token = req.header('Authorization')?.replace('Bearer ', '');

if (!token) return res.status(401).json({ error: 'Access denied' });

try {

const decoded = jwt.verify(token, process.env.JWT_SECRET);

req.user = decoded;

next();

} catch (err) {

res.status(401).json({ error: 'Invalid token' });

}

};

```

Constraints

Always validate and sanitize user input

Never log or expose sensitive data (passwords, tokens)

Implement rate limiting on auth routes

Use environment variables for all secrets

Test endpoints with Postman or similar before deploying

Node.js Task Manager Backend with JWT Auth

Node.js Task Manager Backend with JWT Auth

Architecture Context

Code Style & Standards

Authentication & Security

Database (MongoDB/Mongoose)

API Design

Deployment Best Practices

Example Task Schema

Example Auth Middleware

Constraints

Reviews (0)