Bulletproof Your Backend with Express & TypeScript | Secure & Scalable API

Bulletproof your backend with Express, TypeScript, Zod, Helmet, Cors and bcrypt

February 4, 2025

Nodejs

0 likes

Hey dear readers! Are you already a master of JavaScript and backend with express? If so now you can take your skill even to next level bulletproofing your backend with typescript, Validation with Zod and secure it with helmet and much more. I hope you guys are excited to learn something new.

Let's just dive in creating a simple blogs API.

1. Firstly Project Setup

Here are tool and technologies we are going to use and the dependencies we are going to install.

Tools & Libraries:

Express: Backend framework.
TypeScript: Static typing for safety.
Zod: Schema validation.
Passport: Authentication middleware.
Mongoose: MongoDB ODM (Object Data Modeling).
Helmet: Security headers.
Rate Limiter: Prevent brute-force attacks.

npm init -y
npm install express typescript zod passport passport-local passport-jwt mongoose bcrypt jsonwebtoken cors helmet express-rate-limit dotenv
npm install -D @types/express @types/node ts-node nodemon @types/passport @types/bcrypt @types/jsonwebtoken

Ok now we have installed all the dependencies we need. Let's just start by creating index.ts file inside of src folder. We are going make couple of folders called config for all the configurations files ,modules for all of our code in a modular format. We are also going to use MVCS(Model,View,Controller and Service) pattern inside of module which will look something like below.

// schemas/user.schema.ts
import { z } from "zod";

// User registration schema
export const registerSchema = z.object({
  email: z.string().email(),
  password: z.string().min(8),
  role: z.enum(["user", "admin"]).default("user"),
});

// Middleware to validate requests
import { Request, Response, NextFunction } from "express";
export const validate = (schema: z.ZodSchema) => {
  return (req: Request, res: Response, next: NextFunction) => {
    try {
      schema.parse(req.body); // Validate request body
      next();
    } catch (err) {
      res.status(400).json({ error: err.errors });
    }
  };
};

app.post("/register", validate(registerSchema), (req, res) => {
  // Proceed if validation passes
});

// strategies/jwt.strategy.ts
import { Strategy as JwtStrategy, ExtractJwt } from "passport-jwt";
import { User } from "../models/user.model";
import dotenv from "dotenv";
dotenv.config();

const jwtOptions = {
  jwtFromRequest: ExtractJwt.fromAuthHeaderAsBearerToken(),
  secretOrKey: process.env.JWT_SECRET!,
};

export const jwtStrategy = new JwtStrategy(jwtOptions, async (payload, done) => {
  try {
    const user = await User.findById(payload.sub);
    if (user) return done(null, user);
    else return done(null, false);
  } catch (err) {
    return done(err, false);
  }
});

// strategies/local.strategy.ts
import { Strategy as LocalStrategy } from "passport-local";
import { User } from "../models/user.model";
import bcrypt from "bcrypt";

export const localStrategy = new LocalStrategy(
  { usernameField: "email" },
  async (email, password, done) => {
    try {
      const user = await User.findOne({ email });
      if (!user) return done(null, false);
      
      const isValid = await bcrypt.compare(password, user.password);
      if (!isValid) return done(null, false);
      
      return done(null, user);
    } catch (err) {
      return done(err, false);
    }
  }
);

// app.ts
import passport from "passport";
import { jwtStrategy, localStrategy } from "./strategies";

passport.use(jwtStrategy);
passport.use(localStrategy);

app.use(passport.initialize());

// models/user.model.ts
import { Schema, model } from "mongoose";
import bcrypt from "bcrypt";

interface User {
  email: string;
  password: string;
  role: "user" | "admin";
}

const userSchema = new Schema<User>({
  email: { type: String, required: true, unique: true },
  password: { type: String, required: true },
  role: { type: String, enum: ["user", "admin"], default: "user" },
});

// Hash password before saving
userSchema.pre("save", async function (next) {
  if (this.isModified("password")) {
    this.password = await bcrypt.hash(this.password, 10);
  }
  next();
});

export const User = model<User>("User", userSchema);

// middleware/errorHandler.ts
import { Request, Response, NextFunction } from "express";

export const errorHandler = (
  err: Error,
  req: Request,
  res: Response,
  next: NextFunction
) => {
  console.error(err.stack);

  // Handle Zod validation errors
  if (err.name === "ZodError") {
    return res.status(400).json({ error: "Validation failed" });
  }

  // Handle Mongoose errors (e.g., duplicate key)
  if (err.name === "MongoError") {
    return res.status(400).json({ error: "Database error" });
  }

  res.status(500).json({ error: "Internal server error" });
};

import helmet from "helmet";
import cors from "cors";

app.use(helmet()); // Set secure headers (XSS, CSP, HSTS)
app.use(cors({ origin: ["https://your-frontend.com"] })); // Restrict CORS

import rateLimit from "express-rate-limit";

const limiter = rateLimit({
  windowMs: 15 * 60 * 1000, // 15 minutes
  max: 100, // Limit each IP to 100 requests per window
});
app.use(limiter);

# .env
JWT_SECRET=your_super_secret_key
MONGO_URI=mongodb://localhost:27017/your_db

// routes/protected.route.ts
import { Router } from "express";
import passport from "passport";

const router = Router();

router.get(
  "/profile",
  passport.authenticate("jwt", { session: false }),
  (req, res) => {
    res.json({ user: req.user });
  }
);

export default router;

// routes/auth.route.ts
import { Router } from "express";
import { User } from "../models/user.model";
import { registerSchema, validate } from "../schemas/user.schema";
import bcrypt from "bcrypt";

const router = Router();

router.post("/register", validate(registerSchema), async (req, res) => {
  try {
    const { email, password } = req.body;
    const existingUser = await User.findOne({ email });
    if (existingUser) return res.status(400).json({ error: "User exists" });

    const user = new User({ email, password });
    await user.save();
    res.status(201).json({ message: "User created" });
  } catch (err) {
    res.status(500).json({ error: "Internal server error" });
  }
});