A modern, full-stack e-commerce platform with dual-backend architecture (Node.js + Cloudflare Workers) and React TypeScript frontend.

• Live Demo: Cloudflare Pages
• Features:
  • Day/Night mode toggle
  • Fully responsive design
  • Saffron & Navy Blue theme
  • Fast performance on Cloudflare Pages

rest-shop/
│
├─ frontend/            ← React + TypeScript + Tailwind CSS
│   ├─ src/
│   │   ├─ components/  # Reusable components
│   │   ├─ pages/       # Page components
│   │   ├─ contexts/    # React contexts (Auth, Theme)
│   │   ├─ api/         # API configuration
│   │   └─ App.tsx
│   ├─ public/
│   └─ package.json
│
├─ api/                 ← Node + Express + Mongoose
│   ├─ models/
│   ├─ routes/
│   ├─ controllers/
│   ├─ middleware/
│   ├─ services/
│   ├─ config/
│   ├─ utils/
│   ├─ test/
│   ├─ server.js
│   └─ package.json
│
├─ worker/              ← Cloudflare Worker (Edge Proxy)
│   ├─ src/
│   │   └─ index.js
│   ├─ wrangler.toml
│   └─ package.json
│
├─ docs/                ← Comprehensive documentation
└─ README.md

• Overview
• Frontend Features
• Architecture
• Connecting the Worker to the Node.js Backend
• Features
  • Enhanced Features
  • Security Features
  • Performance Features
• Technologies Used
• Getting Started
  • Prerequisites
  • Installation
  • Configuration
  • Running the Application
• API Endpoints
• Documentation
• Deployment
• CI/CD Pipeline
• Testing
• Monitoring and Observability
• Contributing

This is a comprehensive, professional-grade full-stack e-commerce platform with:

• Modern React Frontend: TypeScript, Tailwind CSS, responsive design
• RESTful API Backend: Node.js, Express, Mongoose, MongoDB
• Edge Distribution: Cloudflare Workers proxy for global performance
• Enterprise Features: Payment processing (Stripe, PayPal, M-Pesa), authentication, order management
• Automated CI/CD: GitHub Actions for continuous deployment

• Theme Colors: Bright Saffron (#FF9933) and Navy Blue (#002366)
• Dark/Light Mode: Toggle with persistence via localStorage
• Responsive Design: Mobile-first, works on all screen sizes
• Clean Interface: Professional, intuitive, and user-friendly

• React 19 with TypeScript
• Tailwind CSS for styling
• React Router for navigation
• Context API for state management (Auth, Theme, Cart)
• Axios for API communication

• Home: Hero section with featured products and value propositions
• Product Browsing: Grid layout with images, prices, and stock status; add-to-cart support
• Shopping Cart & Checkout: Persistent cart with multi-payment checkout (Card, Stripe, PayPal, M-Pesa)
• Authentication: Login, signup, and OAuth social login pages
• Order Management: View order history and status
• Payment History: Full transaction log for authenticated users
• About & Contact: Informational pages with a contact form
• Admin Interface: Protected dashboard for managing products, orders, and users
• Theme Toggle: Seamless day/night mode switching

See Frontend README for detailed frontend documentation.

The application uses a three-tier proxy architecture:

Frontend (Cloudflare Pages)
    ↓ HTTPS
Cloudflare Workers (Edge Proxy)
    ↓ HTTPS
Node.js Backend (Render)
    ↓
MongoDB Atlas

Components:

• Frontend (~100KB): React SPA deployed to Cloudflare Pages
• Cloudflare Workers (~10KB): Lightweight edge proxy for global distribution
• Node.js Backend: Full API with Mongoose/MongoDB operations
• MongoDB Atlas: Cloud database

Benefits:

• Global CDN distribution for frontend
• Fast edge routing via Workers
• Reliable Mongoose/MongoDB operations in Node.js
• Independent scaling of all layers
• Industry-standard architecture pattern

Deployment:

• Frontend: Cloudflare Pages (automatic via GitHub Actions)
• Workers: Cloudflare Workers (automatic via GitHub Actions)
• Backend: Render (auto-deploy on push)

See detailed documentation:

• Complete Deployment Guide
• GitHub CI/CD Setup
• Proxy Architecture Explanation

The previous architecture attempted to run Mongoose directly in Workers using Durable Objects. This has been replaced by the proxy architecture above to resolve runtime incompatibility issues.

# Deploy all services
npm run deploy:all

# Deploy individual services
npm run deploy:base      # Base service
npm run deploy:payments  # Payment service
npm run deploy:gateway   # Gateway (main entry point)

The most important step: The Cloudflare Worker acts as a proxy and needs to know where your Node.js backend is running.

1. Deploy your Node.js backend (Render or VPS):

   # Example with Render
   # Connect your GitHub repository in Render dashboard
   # Get your URL: https://your-app.onrender.com

2. Set the backend URL in your worker:

   cd worker
   wrangler secret put BACKEND_API_URL
   # Enter: https://your-app.onrender.com

3. Deploy the worker:

   wrangler deploy

4. Test the connection:

   curl https://your-worker.workers.dev/health
   # Should show both worker and backend are ok

You can skip the worker entirely and connect your frontend directly to the backend:

# Just run the Node.js backend
npm start

# Backend runs on http://localhost:3001
# Point your frontend to: http://localhost:3001

See Connection Guide for:

• Step-by-step instructions
• Multiple deployment options (Render, VPS)
• Troubleshooting common issues
• Configuration validation script

Check if your backends are connected correctly:

node api/scripts/validate-connection.js <backend-url> [worker-url]

# Example:
node api/scripts/validate-connection.js https://your-app.onrender.com https://your-worker.workers.dev

• User authentication and management with JWT
• OAuth 2.0 integration (Google, Microsoft, Apple)
• Multi-Gateway Payment Processing (Stripe, PayPal, M-Pesa)
• Product management with search, filtering, and pagination
• Advanced order management with status tracking
• Role-based access control (Admin/User)
• File upload for product images
• Inventory tracking (stock levels, SKU)
• Payment history and transaction logging
• Webhook handling for payment callbacks
• Comprehensive error handling
• CI/CD pipeline with GitHub Actions
• Cloudflare Workers deployment ready

• Email Verification: Secure email verification with time-limited tokens (24-hour expiry)
• Password Reset: Secure password reset functionality with email notifications (1-hour expiry)
• Two-Factor Authentication (2FA): TOTP-based 2FA with authenticator apps (Google Authenticator, Authy)
  • QR code generation for easy setup
  • 10 backup codes for account recovery
  • Time-based one-time passwords (RFC 6238 compliant)
• API Versioning: /api/v1 endpoints with backward compatibility for legacy routes

• Redis Caching: Automatic response caching for GET requests
  • Configurable TTL per endpoint
  • Automatic cache invalidation on mutations
  • Graceful degradation if Redis unavailable
• Database Indexing: Optimized indexes for frequently queried fields
• Lazy Loading: Selective field loading with Mongoose populate
• CDN Integration: Cloudinary for optimized image delivery

• WebSocket Notifications: Instant order and payment status updates
  • User-specific notification channels
  • CORS-protected WebSocket connections
  • Automatic reconnection handling
• Email Notifications: Automated email alerts for order status changes

• Automated Testing: Comprehensive test suite with Mocha/Chai
• Load Testing: Artillery-based performance testing scenarios
• Integration Tests: Full workflow testing
• Security Testing: npm audit, Snyk, CodeQL integration

For detailed documentation, see:

• Enhanced Features Guide - Complete setup and usage guide
• Monitoring & Observability - APM, metrics, and alerting
• Testing Guide - Comprehensive testing documentation

• Stripe: Credit/Debit card payments (Global)
• PayPal: PayPal account payments (Global)
• M-Pesa: Mobile money for Kenyan users (Kenya-specific)

• Secure Transaction Processing: PCI-compliant payment handling
• Real-time Payment Verification: Instant payment status updates
• Webhook Integration: Automatic callback processing
• Multi-Currency Support: USD, EUR, GBP, KES
• Transaction Logging: Complete audit trail
• Payment Status Tracking: Real-time order updates
• Refund Support: Built-in refund capabilities (Stripe, PayPal)

See the Payment API Documentation and M-Pesa Setup Guide for detailed integration instructions.

• Helmet.js: Security headers (CSP, HSTS, X-Frame-Options, XSS protection)
• CORS: Configurable origin restrictions
• Rate Limiting:
  • API endpoints: 100 requests/15 minutes
  • Authentication: 5 attempts/15 minutes
  • Signup: 5 accounts/hour
• Input Validation: express-validator on all routes
• Password Security: Bcrypt hashing with strength requirements
• Request Sanitization: Comprehensive XSS prevention with xss library
• ObjectId Validation: Prevents injection attacks
• JWT: 1-hour token expiration
• OAuth 2.0: Secure third-party authentication with single-use exchange codes — the JWT is never placed in a redirect URL (eliminates browser history, server log, and Referer leakage)
• HMAC State: Stateless CSRF protection for OAuth flows (RFC 6749 §10.12)
• Payment Security: Encrypted payment data, transaction logging
• PCI Compliance Ready: No card data storage on servers

• Tokenization: Card details never stored (Stripe tokens)
• Webhook Verification: Cryptographic signature validation
• IP Whitelisting: Restrict payment callbacks to gateway IPs
• Transaction Encryption: Sensitive payment metadata encrypted
• Audit Logging: Complete transaction history

• Minimum 8 characters
• At least one uppercase letter
• At least one lowercase letter
• At least one number
• At least one special character (@$!%*?&)

• React 19: Modern UI library
• TypeScript: Type-safe JavaScript
• Tailwind CSS: Utility-first CSS framework
• React Router: Client-side routing
• Axios: HTTP client for API requests
• Context API: State management

• Runtime: Node.js 18.x/20.x
• Framework: Express.js 4.x
• Database: MongoDB Atlas with Mongoose 8.x (with indexing for scalability)
  • See Database Migration Analysis for alternative options
  • See Mongoose Troubleshooting Guide for common issues
• Authentication: JWT (jsonwebtoken), Passport.js, OAuth 2.0
• OAuth Providers: Google, Microsoft, Apple
• Payment Gateways:
  • Stripe (Credit/Debit cards)
  • PayPal (PayPal accounts)
  • M-Pesa Daraja API (Mobile money - Kenya)
• HTTP Client: Axios (for payment gateway APIs)
• Security: Helmet, CORS, express-rate-limit, express-validator, xss
• File Uploads: Multer, Cloudinary
• Testing: Mocha, Chai, Sinon, Supertest
• Logging: Morgan, Custom transaction logging
• Environment: dotenv

• Frontend: Cloudflare Pages
• Edge Layer: Cloudflare Workers
• Backend: Render/VPS
• CI/CD: GitHub Actions
• Database: MongoDB Atlas

• Node.js (v18 or higher)
• MongoDB Atlas account
• npm or yarn package manager
• Git

1. Clone the repository:

   git clone https://github.com/Zoe-life/rest-shop.git
   cd rest-shop

2. Install dependencies for all components:

   # Install backend dependencies
   cd api && npm install
   
   # Install worker dependencies
   cd ../worker && npm install
   
   # Install frontend dependencies
   cd ../frontend && npm install

Create a .env file in the api/ directory (or copy from .env.example):

cd api
cp ../env.example .env

Edit the .env file with your configuration:

# Core Configuration
MONGODB_URI=mongodb+srv://username:password@cluster0.lifak.mongodb.net/
MONGO_ATLAS_PW=your_mongo_password
JWT_KEY=your_jwt_secret_key
NODE_ENV=development
ALLOWED_ORIGINS=http://localhost:3001,http://localhost:5173
FRONTEND_URL=http://localhost:5173
PORT=3001

# Backend API URL (used for OAuth callbacks)
# For local development: http://localhost:3001
# For production: https://your-backend.onrender.com or your deployed URL
BACKEND_API_URL=http://localhost:3001

# Email Service (for verification & password reset)
SMTP_HOST=smtp.example.com
SMTP_PORT=587
SMTP_SECURE=false
SMTP_USER=your-email@example.com
SMTP_PASS=your-smtp-password
EMAIL_FROM=noreply@rest-shop.com

# Redis Cache (optional - for performance optimization)
REDIS_URL=redis://localhost:6379
# OR use individual settings:
REDIS_HOST=localhost
REDIS_PORT=6379
REDIS_PASSWORD=your-redis-password

# OAuth (optional - for social login)
# Get credentials from: https://console.cloud.google.com/apis/credentials
GOOGLE_CLIENT_ID=your-google-client-id
GOOGLE_CLIENT_SECRET=your-google-client-secret
GOOGLE_CALLBACK_URL=http://localhost:3001/auth/google/callback

# Get credentials from: https://portal.azure.com
MICROSOFT_CLIENT_ID=your-microsoft-client-id
MICROSOFT_CLIENT_SECRET=your-microsoft-client-secret
MICROSOFT_CALLBACK_URL=http://localhost:3001/auth/microsoft/callback

# Get credentials from: https://developer.apple.com
APPLE_CLIENT_ID=your-apple-client-id
APPLE_TEAM_ID=your-apple-team-id
APPLE_KEY_ID=your-apple-key-id
APPLE_CALLBACK_URL=http://localhost:3001/auth/apple/callback

# Payment Gateways (optional - for payment processing)
STRIPE_SECRET_KEY=your-stripe-secret-key
PAYPAL_CLIENT_ID=your-paypal-client-id
PAYPAL_CLIENT_SECRET=your-paypal-client-secret
MPESA_CONSUMER_KEY=your-mpesa-consumer-key
MPESA_CONSUMER_SECRET=your-mpesa-consumer-secret

Important Notes:

• For production deployment, set BACKEND_API_URL to your deployed backend URL (e.g., https://your-app.onrender.com)
• OAuth callback URLs must match exactly what's configured in your OAuth provider console
• If GOOGLE_CALLBACK_URL is not set, it defaults to {BACKEND_API_URL}/auth/google/callback

Create a .env file in the frontend/ directory (or copy from .env.example):

cd frontend
cp .env.example .env

The .env file should contain:

VITE_BACKEND_URL=http://localhost:3001

• Create a cluster at https://cloud.mongodb.com
• Add your IP to the IP Access List
• Create a database user
• Get your connection string

Configuration Guides:

• OAuth Setup Guide - Configure social login
• Payment Setup - Payment gateway configuration
• M-Pesa Setup - M-Pesa integration
• Enhanced Features - Email, 2FA, WebSocket, Redis setup

Troubleshooting Database Connection: If you encounter issues connecting to MongoDB, see the Mongoose Troubleshooting Guide for common solutions.

To populate your database with professional sample products for a realistic e-commerce experience:

cd api

# View what would be seeded (safe mode)
npm run seed

# Add 12 sample products with descriptions and images
npm run seed:force

# Clear existing products and reseed
npm run seed:clear

This will add professional sample products including:

• Electronics (headphones, smart watches, speakers, keyboards)
• Accessories (bags, sunglasses)
• Sports & Fitness (yoga mats, water bottles, running shoes)
• Clothing (organic cotton t-shirts)
• Home & Kitchen (coffee mugs, desk lamps)

All products include professional descriptions, realistic pricing, high-quality images, and stock quantities.

Terminal 1 - Backend API:

cd api && npm start
# Server runs on http://localhost:3001

Terminal 2 - Frontend:

cd frontend && npm run dev
# Frontend runs on http://localhost:5173

Visit http://localhost:5173 to see the application.

cd api && npm start
# Server runs on http://localhost:3001

cd api && NODE_ENV=production node server.js

npm run deploy:worker
# OR
cd worker && npm run deploy

npm test
# OR
cd api && npm test

GET /health

Returns system health status and database connection state.

POST /user/signup
Content-Type: application/json

{
  "email": "user@example.com",
  "password": "SecurePass123!"
}

POST /user/login
Content-Type: application/json

{
  "email": "user@example.com",
  "password": "SecurePass123!"
}

The OAuth flow uses a single-use exchange code pattern to keep the real JWT out of browser history, server logs, and Referer headers. See OAuth Exchange Code Guide.

Sign in with Google

GET /auth/google
# Redirects to Google login page
# On success, redirects to: FRONTEND_URL/auth/success?code=<exchange-code>

Sign in with Microsoft

GET /auth/microsoft
# Redirects to Microsoft login page
# On success, redirects to: FRONTEND_URL/auth/success?code=<exchange-code>

Exchange Code for JWT (called automatically by the frontend)

POST /auth/exchange
Content-Type: application/json

{ "code": "<exchange-code>" }

# Returns: { "token": "<JWT>", "expiresAt": "..." }
# Code is deleted on first use and expires after 30 seconds

See OAuth Setup Guide for detailed configuration instructions.

POST /user/request-verification
Content-Type: application/json

{
  "email": "user@example.com"
}

GET /user/verify-email/:token

POST /user/request-password-reset
Content-Type: application/json

{
  "email": "user@example.com"
}

POST /user/reset-password/:token
Content-Type: application/json

{
  "password": "NewSecurePassword123!"
}

# Setup 2FA
POST /user/2fa/setup
Authorization: Bearer <token>

# Enable 2FA
POST /user/2fa/enable
Authorization: Bearer <token>
Content-Type: application/json
{
  "token": "123456"
}

# Verify 2FA
POST /user/2fa/verify
Content-Type: application/json
{
  "userId": "user_id",
  "token": "123456"
}

# Disable 2FA
POST /user/2fa/disable
Authorization: Bearer <token>
Content-Type: application/json
{
  "password": "YourPassword123!"
}

See Enhanced Features Documentation for complete details.

DELETE /user/:userId
Authorization: Bearer <token>

GET /products

POST /products
Authorization: Bearer <token>
Content-Type: multipart/form-data

name: "Product Name"
price: 99.99
productImage: <file>

GET /products/:productId

PATCH /products/:productId
Authorization: Bearer <token>
Content-Type: application/json

{
  "name": "Updated Name",
  "price": 149.99
}

DELETE /products/:productId
Authorization: Bearer <token>

GET /orders
Authorization: Bearer <token>

GET /orders/:orderId
Authorization: Bearer <token>

POST /orders
Authorization: Bearer <token>
Content-Type: application/json

{
  "productId": "507f1f77bcf86cd799439011",
  "quantity": 2
}

DELETE /orders/:orderId
Authorization: Bearer <token>

PATCH /orders/:orderId/status
Authorization: Bearer <token>
Content-Type: application/json

{
  "status": "shipped"
}

POST /payments/initiate
Authorization: Bearer <token>
Content-Type: application/json

{
  "orderId": "507f1f77bcf86cd799439011",
  "paymentMethod": "mpesa",
  "paymentData": {
    "phoneNumber": "254712345678"
  }
}

Supported Payment Methods: stripe, card, paypal, mpesa

GET /payments/verify/:paymentId
Authorization: Bearer <token>

GET /payments/:paymentId
Authorization: Bearer <token>

GET /payments/history?page=1&limit=10
Authorization: Bearer <token>

POST /payments/mpesa/callback
Content-Type: application/json

(Called automatically by M-Pesa servers)

For complete payment API documentation, see:

• Payment API Documentation
• M-Pesa Setup Guide

• Installation & Configuration - Setup and configuration guide
• OAuth Setup Guide - Configure Google, Microsoft, and Apple OAuth
• OAuth Exchange Code Guide - Single-use exchange code security pattern

• Complete Deployment Guide - Full-stack deployment walkthrough
• GitHub CI/CD Setup - Automated deployment with GitHub Actions
• Microservices Architecture - Detailed architecture overview
• Microservices Quickstart - Quick deployment guide
• Cloudflare Deployment - Deploy to Cloudflare Workers
• Cloudflare Secrets Setup - Configure secrets
• Frontend README - Frontend-specific documentation

• Enhanced Features Guide - Complete guide for:
  • Email verification and password reset
  • Two-factor authentication (2FA) setup
  • Real-time WebSocket notifications
  • Redis caching configuration
  • API versioning usage

• Payment API Documentation - Complete payment API reference
• M-Pesa Setup Guide - M-Pesa integration guide

• Monitoring & Observability - Comprehensive guide for:
  • Application Performance Monitoring (APM) integration
  • Distributed tracing setup
  • Custom metrics and dashboards
  • Alerting configuration
  • Health checks and probes

• Testing Guide - Complete testing documentation:
  • Unit and integration testing
  • Load testing with Artillery
  • End-to-end testing with Cypress
  • Contract testing
  • Test coverage strategies

• Database Migration Analysis - Database options
• MongoDB Cloudflare Strategy - MongoDB on Cloudflare
• Mongoose Troubleshooting - Common issues and solutions

• Troubleshooting Guide - Common issues and solutions
• Implementation Summary - Technical implementation details
• Before/After Comparison - Feature evolution

The project includes full CI/CD automation via GitHub Actions for:

• Cloudflare Workers (Edge proxy)
• Cloudflare Pages (Frontend)
• Automated testing and security scanning

Quick Setup:

1. Configure GitHub Secrets
2. Push to main branch
3. GitHub Actions handles the rest!

See detailed guides:

• GitHub CI/CD Setup Guide - Complete automation setup
• Full Deployment Guide - Manual deployment walkthrough

The backend deploys automatically via Render's built-in CI/CD:

Render:

# Connect GitHub repository
# Render auto-deploys on push to main
# Configure environment variables in Render dashboard

cd worker
wrangler secret put BACKEND_API_URL  # One-time setup
wrangler deploy

cd frontend
npm run build
wrangler pages deploy build --project-name=rest-shop-frontend

The project uses GitHub Actions for automated continuous integration and deployment.

1. Code Quality & Linting - ESLint, code style checks
2. Security Scanning - npm audit, Snyk, CodeQL
3. Testing - Full test suite with MongoDB Memory Server
4. Build Verification - Build worker and frontend
5. Deploy Worker - Automatic deployment to Cloudflare Workers (main branch only)
6. Deploy Frontend - Automatic deployment to Cloudflare Pages (main branch only)

Configure these in GitHub repository settings → Secrets and variables → Actions:

CLOUDFLARE_API_TOKEN     - Cloudflare API token for deployments
CLOUDFLARE_ACCOUNT_ID    - Your Cloudflare account ID
REACT_APP_API_URL        - Worker URL for frontend (e.g., https://rest-shop-worker.workers.dev)

Optional:

JWT_KEY                  - For CI tests only (not production)
SNYK_TOKEN              - For Snyk security scanning

Automatic:

• Push to main branch triggers full deployment
• Pull requests trigger testing only (no deployment)

Manual:

• Go to Actions tab → CI/CD Pipeline → Run workflow

See detailed guide: GitHub Secrets & CI/CD Setup

The project includes comprehensive testing at multiple levels:

# Run all tests
npm test

# Run tests in watch mode
npm run test:watch

# Product endpoint load test
npm run test:load

# Authenticated user journey
npm run test:load:auth

# Spike test (sudden load increase)
npm run test:load:spike

test/
├── setup.js                    # MongoDB Memory Server setup
├── controllers/
│   ├── user.test.js           # User authentication tests
│   ├── products.test.js       # Product CRUD tests
│   ├── orders.test.js         # Order management tests
│   ├── payments.test.js       # Payment processing tests
│   ├── auth.test.js           # Email verification & password reset
│   └── twoFactor.test.js      # 2FA functionality tests
└── middleware/
    └── check-auth.test.js     # Authentication middleware tests

tests/load/
├── products-load-test.yml     # Product browsing scenarios
├── auth-load-test.yml         # Authenticated user flows
└── spike-test.yml             # Sudden traffic spike test

• MongoDB Memory Server: Tests use an in-memory MongoDB instance
• Node.js: v20.x or higher
• Ubuntu 22.04+: Configured for OpenSSL 3.x compatibility (MongoDB 7.0.14)

Note: If you encounter "libcrypto.so.1.1" errors, the project is pre-configured to use MongoDB 7.0.14 which supports OpenSSL 3.x. This is set in package.json under config.mongodbMemoryServer.version.

• User authentication (signup, login, delete, email verification, password reset)
• Two-factor authentication (setup, enable, verify, disable)
• Product CRUD operations with caching
• Order management with real-time notifications
• Payment processing (Stripe, PayPal, M-Pesa)
• JWT middleware and authorization
• WebSocket connections and notifications
• Error handling and security
• Load testing scenarios
• Target Coverage: > 90%

For complete testing documentation, see Testing Guide

• Health Check Endpoint: /health - System health and database status
• Structured Logging: JSON-formatted logs with trace IDs
• Audit Logging: Security event tracking (logins, signups, failures)

• Response time tracking
• Request throughput
• Error rate monitoring
• Cache hit/miss rates
• WebSocket connection counts

• New Relic
• Datadog APM
• Elastic APM
• Prometheus/Grafana

• Trace ID propagation across services
• Request correlation
• Performance bottleneck identification

• High error rate alerts
• Slow response time notifications
• Database connection failures
• Payment gateway issues
• Memory and CPU usage warnings

For complete monitoring setup, see Monitoring & Observability Guide

• Helmet: Security headers
• CORS: Cross-origin resource sharing
• Rate Limiting: Request throttling
• Input Validation: express-validator
• Sanitization: XSS prevention

• checkAuth: Validates JWT tokens
• checkRole: Role-based access control

• Error Handler: Centralized error handling
• Morgan Logger: HTTP request logging

All errors return a consistent JSON format:

{
  "error": {
    "message": "Error description"
  }
}

• 200 - Success
• 201 - Created
• 400 - Bad Request (validation errors)
• 401 - Unauthorized (auth failed)
• 403 - Forbidden (insufficient permissions)
• 404 - Not Found
• 409 - Conflict (duplicate resource)
• 429 - Too Many Requests (rate limit)
• 500 - Internal Server Error

1. Fork the repository
2. Create a feature branch (git checkout -b feature/AmazingFeature)
3. Commit your changes (git commit -m 'Add some AmazingFeature')
4. Push to the branch (git push origin feature/AmazingFeature)
5. Open a Pull Request

• Write tests for new features
• Follow existing code style
• Update documentation
• Ensure all tests pass
• Keep commits atomic and well-described

This project is licensed under the ISC License.

Merlyn Zawadi

For issues and questions:

• Open an issue on GitHub
• Check existing documentation
• Review API endpoints in Postman collection

• Express.js community

• MongoDB Atlas

• Cloudflare Workers

• All contributors