Just wrapped up the core setup for my e-commerce API (Impextech): Auth, Products, and Users. Everything is running on Node.js, Express, and TypeScript.
Instead of just getting it to work, I spent this week focusing on security, keeping the code clean, and fixing some annoyances in my dev environment.
Here’s a breakdown of what I built and a few "gotchas" I learned along the way.
1. Clean Architecture (Separation of Concerns)
I split everything into Models, Services, and Controllers. It takes a little more time to set up initially, but it makes the route files way easier to read and keeps all the database logic safely in one place.
My folder structure looks like this now:
src/
├── controllers/
├── middleware/
├── models/
├── routes/
└── services/
2. Route-Specific Middleware
I set up custom middleware using express-jwt. Instead of applying global rules in my main app file, I passed requireLogin and isAdmindirectly into specific routes.
This means a normal user can update their own profile, but you explicitly need an admin token to touch the product catalog or delete an account.
// src/routes/user.routes.ts
import { Router } from "express";
import { requireLogin, isAdmin } from "../middleware/auth.middleware.js";
import * as userController from "../controllers/user.controller.js";
const router = Router();
// Any logged-in user can view a profile
router.get("/:id", requireLogin, userController.getUser);
// ONLY Admins can delete accounts
router.delete("/:id", requireLogin, isAdmin, userController.deleteUserController);
export default router;
3. Fixing a Mongoose Quirk (The Big Lesson)
I realized that Mongoose completely ignores schema validation during update queries by default. If you run findByIdAndUpdate, it just fires the raw command directly to MongoDB and skips your carefully crafted schema rules.
I had to explicitly pass { new: true, runValidators: true } to my service functions so bad data doesn't accidentally slip into the database.
// src/services/user.service.ts
export const updateUser = async (id: string, updateData: any) => {
const updatedUser = await User.findByIdAndUpdate(
id,
updateData,
{ new: true, runValidators: true } // <-- The magic fix
);
if (!updatedUser) throw new Error('User not found');
return updatedUser;
};
4. Fixing my Terminal
Got tired of my zsh terminal suggesting old typos and deleted git branches. I finally updated my .zshrc config so it stops saving garbage commands.
If you use zsh-autosuggestions, drop this at the bottom of your ~/.zshrc:
# Stop saving duplicates and commands that start with a space
setopt HIST_IGNORE_ALL_DUPS
setopt HIST_IGNORE_SPACE
setopt HIST_REDUCE_BLANKS
Up Next 🛒
Next on the roadmap is the Cart module. Now that I have users and products, it's time to build the logic so they can actually add items and check out.
How do you usually handle role-based access control in your Node apps? Let me know in the comments!
Top comments (0)