DEV Community: Saurabh Sharma

Authentication and Authorization Microservice with Node.js, Express, PostgreSQL, and 2-Factor : Part 1

Saurabh Sharma — Wed, 26 Mar 2025 07:15:01 +0000

In today’s digital landscape, securing user authentication is more critical than ever. Whether you're developing a SaaS platform, an enterprise application, or a multi-tenant system, a robust authentication and authorization microservice can help centralize user management and enforce security best practices. In this blog post, we will walk through the complete development of an authentication and authorization microservice using Node.js, Express, and PostgreSQL, incorporating JWT-based authentication, role-based access control (RBAC), and Two-Factor Authentication (2FA) using TOTP (Time-Based One-Time Passwords). We will also ensure industry-grade security practices, including password hashing, input validation, and secure token management. By the end of this guide, you'll have a production-ready microservice that can be integrated with multiple applications, serving as a reliable identity provider. Let’s get started! 🚀

It is part of series:

Part 1
Part 2
Part 3

Authentication & Authorization:

Mechanisms: Username/password, TOTP.

Services: User registration, authenticator registration, login, token issuance (JWT or OAuth2), and role-based access control.

Super Admin: One dedicated user with elevated privileges.

Deployment:

Containerization: Docker support for easier deployment and orchestration (e.g., Kubernetes).

Security:
Industry best practices, such as secure password storage
Initialize Project

Let's start

1. Create directory & initiate npm

mkdir auth-service
cd auth-service
npm init -y

Install typescript and other development dependency

npm install typescript ts-node @types/node --save-dev
tsc --init

Install express framework and database ORM (TypeORM) & pg

npm install express typeorm pg dotenv
npm install @types/express --save-dev

To get it work, open `tsconfig.json` and add following settings in compilerOptions

"experimentalDecorators": true,
"emitDecoratorMetadata": true,
"strictPropertyInitialization": false,

2. Install Postgres & pgAdmin using docker-compose

create file docker-compose.yml in root and copy the following content

version: "3.8"
services:
  db:
    image: postgres
    container_name: local_pgdb
    restart: always
    ports:
      - "5432:5432"
    environment:
      - POSTGRES_USER=${DB_USER}
      - POSTGRES_PASSWORD=${DB_PASSWORD}
    volumes:
      - local_pgdata:/var/lib/postgresql/data
  pgadmin:
    image: dpage/pgadmin4
    container_name: pgadmin4_container
    restart: always
    ports:
      - "8888:80"
    environment:
      - PGADMIN_DEFAULT_EMAIL=${PGADMIN_DEFAULT_EMAIL}
      - PGADMIN_DEFAULT_PASSWORD=${PGADMIN_DEFAULT_PASSWORD}
    volumes:
      - pgadmin-data:/var/lib/pgadmin

volumes:
  local_pgdata:
  pgadmin-data:

Create .env file in root with your credentials (Don't use the given details)

DB_HOST=localhost
DB_PORT=5432

DB_USERNAME=postgres
DB_PASSWORD=postgres

PGADMIN_DEFAULT_EMAIL=pgadmin@postgres.com
PGADMIN_DEFAULT_PASSWORD=pgadmin

Run the docker

docker-compose up -d

Check the containers status

docker ps

you can access the pgAdmin using url http://localhost:8888
login using your credentials and create server connection
host will be container name(eg.local_pgdb) of Postgres container

3. ORM Configuration

create data-source.ts file in src folder with following code

import { DataSource } from "typeorm";
import * as dotenv from 'dotenv';
dotenv.config();

export const AppDataSource = new DataSource({
  type: "postgres", 
  host: "localhost",
  port: 5432,
  username: process.env.DB_USERNAME || "postgres",
  password: process.env.DB_PASSWORD || "postgres",
  database: process.env.DB_DATABASE || "postgres",
  synchronize: true,    // make false for production
  logging: false,
  entities: ["src/entity/**/*.ts"],
  migrations: ["src/migration/**/*.ts"],
  subscribers: ["src/subscriber/**/*.ts"],
});

AppDataSource.initialize()
    .then(() => {
    console.log("Data Source has been initialized!");
  })
  .catch((err) => {
    console.error("Error during Data Source initialization:", err);
  });

Create following folder structure in src folder

src/entity
src/migration
src/subscriber

3.1 Create Database Schema

Create a `Userentity` in `src/entity/User.ts`:

import { Entity, PrimaryGeneratedColumn, Column, CreateDateColumn } from 'typeorm';

@Entity()
export class User {
  @PrimaryGeneratedColumn('uuid')
  id: string;

  @Column({ unique: true })
  username: string;

  @Column()
  passwordHash: string;

  @Column({ default: 'user' })
  role: string;

  @Column({ nullable: true })
  totpSecret: string;

  @CreateDateColumn()
  createdAt: Date;
}

Create migration file `CreateUserTable` in `src/migration`

npx typeorm-ts-node-commonjs -d ./src/data-source.ts migration:generate ./src/migration/CreateUserTable

Run the migration using following command

npx typeorm-ts-node-commonjs -d src/data-source.ts migration:run

Install other libraries

npm install bcrypt speakeasy qrcode jsonwebtoken express-validator
npm install @types/bcrypt @types/speakeasy  @types/qrcode @types/jsonwebtoken

4. Startup file

Create index.ts file in src folder with following initial code:

import express from 'express';
import { AppDataSource } from './data-source';

const app = express();

app.get('/health', (req, res) => {
  res.send('Auth Microservice is running');
});

AppDataSource.initialize()
    .then(() => {
    console.log("Data Source has been initialized!");
    app.listen(3000, () => {
      console.log('Auth Microservice is running on port 3000');
    });

  })
  .catch((err) => {
    console.error("Error during Data Source initialization:", err);
  });

Create start script in `package.json` as below:

"scripts": {
    "test": "echo \"Error: no test specified\" && exit 1", 
    "start": "ts-node ./src/index.ts"
  },

run the application using npm run start
You can access the code from repository

saurabh2k1 / auth-service

Authentication & Authorization Microservice

Part 2 is coming...

From Fairy Tales to Future Tech: A Letter to My Loved Ones

Saurabh Sharma — Tue, 18 Mar 2025 05:41:49 +0000

This is a submission for the Future Writing Challenge: How Technology Is Changing Things.

Dear Family and Friends,

I hope you’re all doing well! I wanted to share some thoughts about how technology is gently reshaping our everyday world—a journey that touches every part of our lives.

Imagine technology as a friendly, magical helper. Just like a colorful toy robot that sings and dances, it makes many things easier and more fun. For example, it’s like having a magic picture book that shows us faraway lands, helps us learn new things, and even keeps us connected with loved ones no matter where we are. Even a five-year-old can understand that it’s a bit like having a magic wand that sprinkles excitement and ease into our daily routine!

But the magic isn’t just for little wonders—it’s also creating big ripple effects in our culture. Our schools are turning digital, letting kids learn from teachers and friends across the globe. In our work lives, technology means that many of us can connect from anywhere, making collaboration easier and more creative. Even how we meet new people, celebrate milestones, or share family traditions is evolving with social media and smart devices.

As we step into this future, let’s see these changes as opportunities to grow closer and create new ways of learning, working, and sharing love. I write this to all of you—across every generation—so we can embrace these shifts together, with curiosity and warmth.

With love and excitement for the future,

Saurabh Sharma

Additional Prize Categories

Explain Like I'm Five,
Ripple Effects

Using React-admin Dashboard for Application Management

Saurabh Sharma — Tue, 25 Feb 2025 10:57:04 +0000

Building an application can feel overwhelming, especially when it comes to managing its data and user interface. Using a React-admin dashboard streamlines this process by providing a robust and customizable framework for creating your admin panel quickly and efficiently. The integration of React-admin not only enhances the user experience but also simplifies the development process.

In my experience, the flexibility of React-admin allows me to tailor the dashboard to the specific needs of my application. This means I can focus on what matters most—developing features that provide real value to my users. With its rich set of tools and components, React-admin aids in reducing the amount of boilerplate code, enabling me to implement functionalities faster.

Ultimately, adopting React-admin for your application empowers you to maintain control over data management while delivering a user-friendly interface. The immediate benefits of quicker setup times and enhanced customization make it an appealing choice for developers seeking efficiency and functionality in their projects.

Getting Started with React-Admin

I will outline the essential steps for setting up React-Admin. This section covers the installation and setup process, basic configuration, and the architecture of React-Admin.

Installation and Setup

To begin using React-Admin, I need to ensure that Node.js and npm are installed on my machine. I can install React-Admin in a new or existing project using npm or yarn. Here’s the command for installation:

npm install react-admin

After installation, I can start creating my Admin component. This involves importing React-Admin components and setting up the data provider. For a quick start, I often use the REST data provider, which can be installed with:

npm install ra-data-json-server

This provider allows me to connect to a JSON server easily and is perfect for rapid development.

Basic Configuration

With React-Admin set up, I can create the basic configuration for my dashboard. I typically start by defining a simple data provider and passing it to the <Admin> component. Here’s an example structure:

import { Admin, Resource } from 'react-admin';
import jsonServerProvider from 'ra-data-json-server';

const dataProvider = jsonServerProvider('http://jsonplaceholder.typicode.com');
const App = () => (
    <Admin dataProvider={dataProvider}>
        <Resource name="posts" />
        <Resource name="comments" />
    </Admin>
);

This setup enables me to start working with resources right away. I can customize the resources by defining create, edit, and list views based on my needs.

Understanding the React-Admin Architecture

React-Admin is built around a set of core principles that make it a powerful tool for creating admin interfaces. At its core, it separates concerns by using components for different functionalities.

Key components include:

Admin: The main container for my application.
Resource: Represents the data entity I manage, such as posts or users.

React-Admin operates on a data provider pattern, allowing me to switch data sources easily. This flexibility enables me to integrate with REST APIs, GraphQL, and other sources without changing the frontend significantly. Each resource can be configured with custom views, providing complete control over the presentation and functionality.

Core Components of React-Admin

React-Admin consists of essential components that work together to create a powerful and flexible dashboard. Understanding these components is crucial for developing applications effectively. Below, I provide an overview of the core components that drive React-Admin's functionality.

DataProvider

The DataProvider is a critical component in React-Admin. It acts as an interface between the user interface and the data layer. This abstraction allows me to interact with various data sources, including REST, GraphQL, or any custom API.

The DataProvider handles CRUD operations seamlessly. This means I can retrieve, create, update, or delete resources. Additionally, I can easily customize it to fit my backend requirements, allowing for scalability and versatility.

When implementing a DataProvider, I define methods like getList, getOne, create, and update. These methods return Promises, which integrate smoothly with React-Admin's asynchronous paradigm. Setting up the DataProvider efficiently ensures a robust application capable of meeting user demands.

AuthenticationProvider

An AuthenticationProvider is vital for securing my application. It manages user authentication and authorization within the dashboard, ensuring that only authorized users can access certain resources.

This provider often integrates with OAuth, JWT tokens, or any authentication setup I choose. I define methods such as login, logout, and checkAuth. This way, I can manage user sessions effectively and enhance security.

When a user attempts to log in, the AuthenticationProvider verifies credentials and responds appropriately. Proper implementation of this component is essential for a secure and reliable application, protecting sensitive data and resources.

Admin Component

The Admin Component serves as the central component of my React-Admin application. It brings together various parts of the application, rendering the layout and handling routing. This component is where I define my dataProvider and authenticationProvider.

The Admin Component is reusable and easy to configure. I can customize the dashboard by defining the title, layout, and other props. Additionally, it acts as a high-level router, managing different resources.

Using the Admin Component, I can create a cohesive and intuitive user interface. It helps maintain structure while ensuring flexibility for UI modifications as my project evolves.

Resource Component

The Resource Component is essential for defining data entities within the application. Each resource corresponds to a data entity I want to manage, such as users, products, or orders. This component allows me to specify how each resource will be displayed and manipulated.

Within the Resource Component, I can define views for listing, editing, and creating records. By using built-in components like <List>, <Edit>, or <Create>, I ensure that my application adheres to a consistent UI and functionality.

Each resource can be further customized with specific fields and filters, accommodating various data requirements. The Resource Component simplifies the management of multiple data entities while preserving clarity in my application's structure.

Building a Dashboard

Creating a dashboard in React-admin involves configuring various components and potentially developing custom widgets that enhance functionality. Here’s how I approach these essential aspects.

Dashboard Configuration

Dashboard configuration in React-admin allows for flexibility and scalability. I start by defining my data sources, typically through a REST or GraphQL API. This involves setting up resource components that detail how data is accessed and displayed.

Next, I customize the layout using built-in layout components like <Card> or <Grid>, which let me organize information effectively. Utilizing the Dashboard component, I can specify widgets that showcase key metrics, using <SimpleList> or <Stat> components for simplicity.

I also make use of styles and themes to align the dashboard’s appearance with branding. It’s crucial to leverage the permissions feature to control user access, ensuring that sensitive information remains protected.

Custom Widgets

Custom widgets enhance user interaction and data presentation. I create these by building new components that integrate seamlessly with existing React-admin tools.

To get started, I define the component structure using React hooks, which allow for functional and responsive interfaces. I ensure that each widget adheres to the overall dashboard design.

For instance, I might develop a chart widget using libraries like recharts or chart.js. This helps visualize data trends effectively. Additionally, I implement tools for filtering and sorting data, making the dashboard more user-friendly.

By adding interactivity through state management, I can provide real-time updates, significantly improving user engagement and decision-making.

Data Management

Effective data management is crucial for any application utilizing React-admin. This section covers how to perform CRUD operations seamlessly and implement robust data validation and error handling.

CRUD Operations

React-admin simplifies CRUD (Create, Read, Update, Delete) operations through its intuitive interface. Utilizing the built-in data provider, I can easily connect to various backends, including REST and GraphQL APIs.

Create: I use forms that automatically handle inputs. The <Create> component generates structured forms for data entry.
Read: Fetching data is straightforward with <List> and <Show> components. I can customize these components to display information clearly.
Update: With the <Edit> component, I can modify existing entries easily. It also supports form validation to ensure data integrity.
Delete: The <DeleteButton> component allows me to remove entries efficiently. Confirmation dialogues help prevent accidental deletions.

Data Validation and Error Handling

Data validation is essential to maintain data quality. React-admin offers validation rules that can be applied to forms.

Client-side Validation: I can define custom validation logic using functions. This ensures that invalid data does not reach the server.
Server-side Validation: Implementing API-level validation enhances reliability. I handle API responses to identify and manage errors.

Error handling can be incorporated using notification systems. For instance, I use the <Notification> component to inform users of successful or failed operations.

Implementing effective data validation and error handling improves user experience and application reliability.

Authentication and Authorization

I prioritize securing user access through effective authentication and authorization strategies. These protocols ensure that only validated users can access sensitive areas of the application.

User Authentication Workflow

In my applications, I implement a user authentication workflow that typically involves several steps. First, users provide their credentials, usually a username and password.

Next, I verify these credentials against a backend service. Upon successful verification, the system generates a token, often a JSON Web Token (JWT), that the user receives. This token serves as proof of their identity in subsequent requests.

To enhance security, I also encourage the use of multi-factor authentication (MFA). This additional layer can include SMS codes or authentication apps, significantly reducing unauthorized access.

Access Control and Permissions

Access control defines what authenticated users can do within the application. I establish roles for different user types, such as admin, editor, or viewer.

Through role-based access control (RBAC), I map specific permissions to these roles. For instance, only admins can manage user accounts and settings, while editors can create and edit content.

Implementing this structure involves updating the user interface to display options based on their roles. I typically use conditional rendering in React to achieve this dynamic visibility.

This ensures that unauthorized actions are prevented, maintaining data integrity and security across the platform.

Deploying React-Admin Applications

Effective deployment of a React-Admin application requires attention to the build process and appropriate environment configuration. I will cover the essential steps to ensure a smooth deployment experience.

Build and Deployment Process

To deploy a React-Admin application, I start by creating a production build. In the terminal, I run:

npm run build

This command generates an optimized version of the app in the build directory.

Next, I need to decide on a deployment platform. Popular choices include:

Netlify: Great for static sites; integrates well with Git.
Vercel: Excellent for both static and dynamic applications.
AWS S3: Suitable for hosting static files with scalability.

After choosing a platform, I follow its deployment instructions. I typically upload the contents of the build folder to the chosen environment.

Environment Configuration

Configuring the environment is critical for a successful deployment. I define environment variables for various settings in the .env file. Key variables often include:

REACT_APP_API_URL: The URL of the backend API.
REACT_APP_ENV: Specifies the current environment (development, staging, production).

When deploying, I set these variables directly in the hosting environment as needed. For instance, platforms like Netlify allow me to set these variables in their dashboard.

Lastly, I verify the deployment by accessing the application and checking key functionalities to ensure everything runs smoothly.

A Year of Transformation: Reflecting on 2024's Journey in Tech and Beyond

Saurabh Sharma — Thu, 02 Jan 2025 05:32:00 +0000

This is a submission for the 2025 New Year Writing challenge: Retro’ing and Debugging 2024.

As we are ushering into a new year which is a perfect square 2025 in mathematically terms it's time to pause and reflect on to the whirlwind that was 2024 back in the year that gone.

The year 2024 was marked by remarkable advancements in technology, specially in the field of artificial intelligence (AI) and machine learning (ML). The usage of AI into everyday applications reached new heights, making day to day tasks more efficient and in-turn creating more opportunities for innovation. Parallelly the challenges posed by cyber crimes also enhanced. We have seen global impacts due to misbehaving of application updates.

on personal front also 2024 was a year of introspection and growth. Embracing new learning experiences in both professional development and personal hobbies. And as I say frequently, being in IT sector, you can not leave learning.

Always try to learn new things if you want to be relevant in ever evolving IT industry.

Achievements

First of all I promoted in my organization
I have secured coveted Certified Information Security Manager (CISM) certificate.
Utilizing generative AI ChatGPT

I was learning React JS front end and in this journey of self learning, I have achieved many milestone like utilizing react-admin framework. I also implemented two-factor authentication using Authenticator tools with react-admin framework. It was a very challenging job to include two-factor alongside react-admin authentication as there is no tutorial available for it. But this is very much required in the era of AI infused cyber threats to secure your applications.