Auth-API (Secure JWT Authentication)

Produktionsnahe Auth-API mit Node.js, Express und PostgreSQL.

Features

Registrierung mit Argon2 Password Hashing
Login via Username oder E-Mail
JWT Access + Refresh Token Flow (inkl. Rotation)
Logout (Revocation des Refresh Tokens)
Authenticated me Endpoint
Passwortwechsel mit Session-Invalidierung
API-Key Schutz für alle Auth/Admin Endpoints
Parameterisierte SQL Queries (SQL-Injection Schutz)
Auto-Setup der benötigten Tabellen beim Start

Setup

Abhängigkeiten installieren:

npm install

Konfiguration erstellen:

cp .env.example .env

.env Werte setzen (insb. DB + JWT Secrets + API_KEY).
Server starten:

npm run dev

Endpoints

Public

`GET /`

API Basisstatus

`GET /health`

Healthcheck

Auth (alle benötigen `x-api-key` Header)

`POST /auth/register`

{
  "username": "demo_user",
  "email": "demo@example.com",
  "password": "VeryStrongPassword123!"
}

`POST /auth/login`

{
  "identifier": "demo_user",
  "password": "VeryStrongPassword123!"
}

Response enthält:

accessToken
refreshToken
user

`POST /auth/refresh`

{
  "refreshToken": "<refresh-token>"
}

Gibt neues accessToken + rotiertes refreshToken zurück.

`POST /auth/logout`

{
  "refreshToken": "<refresh-token>"
}

`GET /auth/me`

Benötigt:

x-api-key: <API_KEY>
Authorization: Bearer <access-token>

`POST /auth/change-password`

Benötigt:

x-api-key: <API_KEY>
Authorization: Bearer <access-token>

{
  "currentPassword": "VeryStrongPassword123!",
  "newPassword": "AnotherStrongPassword456!"
}

Admin (zusätzlich Bearer Token)

Alle /admin/* Endpoints benötigen:

x-api-key
Authorization: Bearer <access-token>

`GET /admin/users`

Liste aller Benutzer.

`GET /admin/users/:id`

Einzelnen Benutzer abrufen.

`PATCH /admin/users/:id`

{
  "username": "new_username",
  "email": "new@example.com",
  "isActive": true
}

`DELETE /admin/users/:id`

Benutzer löschen.

Security Hinweise

Nutze lange, zufällige Secrets (JWT_*_SECRET, API_KEY)
Nutze HTTPS in Produktion
Begrenze Token-Laufzeiten in sicherheitskritischen Umgebungen
Ergänze optional Rate Limiting und Audit Logging

Name		Name	Last commit message	Last commit date
Latest commit History 9 Commits
middleware		middleware
routes		routes
utils		utils
.env.example		.env.example
.gitattributes		.gitattributes
.gitignore		.gitignore
README.md		README.md
index.js		index.js
package-lock.json		package-lock.json
package.json		package.json

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Repository files navigation

Auth-API (Secure JWT Authentication)

Features

Setup

Endpoints

Public

`GET /`

`GET /health`

Auth (alle benötigen `x-api-key` Header)

`POST /auth/register`

`POST /auth/login`

`POST /auth/refresh`

`POST /auth/logout`

`GET /auth/me`

`POST /auth/change-password`

Admin (zusätzlich Bearer Token)

`GET /admin/users`

`GET /admin/users/:id`

`PATCH /admin/users/:id`

`DELETE /admin/users/:id`

Security Hinweise

About

Uh oh!

Releases

Packages

Uh oh!

Uh oh!

Contributors

Uh oh!

Languages

Folders and files

Latest commit

History

Repository files navigation

Auth-API (Secure JWT Authentication)

Features

Setup

Endpoints

Public

GET /

GET /health

Auth (alle benötigen x-api-key Header)

POST /auth/register

POST /auth/login

POST /auth/refresh

POST /auth/logout

GET /auth/me

POST /auth/change-password

Admin (zusätzlich Bearer Token)

GET /admin/users

GET /admin/users/:id

PATCH /admin/users/:id

DELETE /admin/users/:id

Security Hinweise

About

Resources

Uh oh!

Stars

Watchers

Forks

Releases

Packages 0

Uh oh!

Uh oh!

Contributors

Uh oh!

Languages

`GET /`

`GET /health`

Auth (alle benötigen `x-api-key` Header)

`POST /auth/register`

`POST /auth/login`

`POST /auth/refresh`

`POST /auth/logout`

`GET /auth/me`

`POST /auth/change-password`

`GET /admin/users`

`GET /admin/users/:id`

`PATCH /admin/users/:id`

`DELETE /admin/users/:id`

Packages