DEV Community: Wesley Israel The latest articles on DEV Community by Wesley Israel (@wesleyisr4). https://dev.to/wesleyisr4 https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F554406%2F7c6e24e0-b370-4f9d-b2d9-8925a463a1a8.jpeg DEV Community: Wesley Israel https://dev.to/wesleyisr4 en The Secret Weapon Every Developer Needs: Cursor + Figma MCP Integration Wesley Israel Mon, 04 Aug 2025 17:01:43 +0000 https://dev.to/wesleyisr4/the-secret-weapon-every-developer-needs-cursor-figma-mcp-integration-3k1k https://dev.to/wesleyisr4/the-secret-weapon-every-developer-needs-cursor-figma-mcp-integration-3k1k <h2> The Secret Weapon Every Developer Needs: Cursor + Figma MCP Integration </h2> <p>Listen up, developers! If you're still manually copying design tokens from Figma or screenshotting components like it's 2010, you're doing it wrong. There's a better way, and it's called <strong>MCP (Message Communication Protocol)</strong>.</p> <p>Yeah, it's that cool.</p> <h2> What the Heck is MCP? </h2> <p>MCP is like having a direct hotline between your editor and Figma. No more context switching, no more copy-paste madness, no more "where did I put that color code again?" moments.</p> <p>Think of it as your personal Figma assistant that lives right inside Cursor. Mind-blowing, right?</p> <h2> The Setup That Will Change Your Life </h2> <h3> Step 1: Configure Your MCP Settings </h3> <p>Open your Cursor settings and add this configuration to your MCP setup:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"mcpServers"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Framelink Figma MCP Personal"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"command"</span><span class="p">:</span><span class="w"> </span><span class="s2">"npx"</span><span class="p">,</span><span class="w"> </span><span class="nl">"args"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"-y"</span><span class="p">,</span><span class="w"> </span><span class="s2">"figma-developer-mcp"</span><span class="p">,</span><span class="w"> </span><span class="s2">"--figma-api-key=YOUR_API_KEY_HERE"</span><span class="p">,</span><span class="w"> </span><span class="s2">"--stdio"</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p><strong>Pro tip:</strong> Replace <code>YOUR_API_KEY_HERE</code> with your actual Figma API key. You can get one from your Figma account settings.</p> <h3> Step 2: Get Your Figma API Key </h3> <ol> <li>Go to your Figma account settings</li> <li>Navigate to Personal access tokens</li> <li>Create a new token</li> <li>Copy that bad boy and paste it in the config above</li> </ol> <h3> Step 3: Restart Cursor and Start Using </h3> <p>Restart Cursor, and you're ready to go! No installation needed — just copy a Figma frame link and paste it in the chat to get all the data you need.</p> <h2> What You Can Do Now (That You Couldn't Before) </h2> <ul> <li> <strong>Extract design tokens</strong> directly from Figma components</li> <li> <strong>Get component information</strong> without leaving your editor</li> <li> <strong>Download images and SVGs</strong> with a simple command</li> <li> <strong>Access layout data</strong> for responsive design implementation</li> <li> <strong>Sync color palettes</strong> automatically</li> </ul> <h2> Real-World Example: The Magic of Frame Links </h2> <p>Here's how you'd extract data from your Figma file:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// Before MCP (the dark ages)</span> <span class="c1">// 1. Open Figma</span> <span class="c1">// 2. Find the component</span> <span class="c1">// 3. Copy the hex code</span> <span class="c1">// 4. Paste in your code</span> <span class="c1">// 5. Repeat 50 times</span> <span class="c1">// After MCP (the enlightened era)</span> <span class="c1">// Just paste a Figma frame link in the chat:</span> <span class="c1">// https://www.figma.com/file/abc123/MyDesign?node-id=123:456</span> <span class="c1">// Boom! All your design data in one go</span> </code></pre> </div> <h2> The Benefits That Will Make Your Teammates Jealous </h2> <p>✅ <strong>Zero context switching</strong> — Stay in your flow<br> ✅ <strong>Real-time design sync</strong> — Always up-to-date<br> ✅ <strong>Automated token extraction</strong> — No more manual work<br> ✅ <strong>Version control for design</strong> — Track design changes<br> ✅ <strong>Faster development cycles</strong> — Ship features faster</p> <h2> Common Gotchas (Don't Say I Didn't Warn You) </h2> <ul> <li> <strong>API Rate Limits</strong>: Figma has rate limits, so don't go crazy with requests</li> <li> <strong>File Permissions</strong>: Make sure you have access to the Figma files you're trying to connect</li> <li> <strong>Token Security</strong>: Keep your API key secure and never commit it to version control</li> </ul> <h2> The Call to Action That Will Change Your Development Life </h2> <p>Ready to join the future of design-to-code workflow?</p> <ol> <li> <strong>Configure your MCP settings</strong> (it takes 2 minutes)</li> <li> <strong>Copy a Figma frame link</strong> and paste it in the chat</li> <li> <strong>Watch the magic happen</strong> as all your design data appears</li> <li> <strong>Share this article</strong> with your team (they'll thank you)</li> </ol> <p>Your future self will thank you for reading this far. Now go forth and build amazing things with the power of Cursor + Figma MCP!</p> <p><em>P.S. If you're still manually copying design tokens, you're literally living in the past. Time to upgrade your workflow! 🚀</em></p> figma cursor react designsystem Real‑World Applications of AI: Lessons from Successful Projects Wesley Israel Fri, 01 Aug 2025 23:50:47 +0000 https://dev.to/wesleyisr4/real-world-applications-of-ai-lessons-from-successful-projects-2dok https://dev.to/wesleyisr4/real-world-applications-of-ai-lessons-from-successful-projects-2dok <h1> Real‑World Applications of AI: Lessons from Successful Projects </h1> <p>Artificial intelligence is no longer an exotic research topic—it is a core part of modern products and services. From recommendation engines to generative assistants, AI is solving real business problems, but success is not guaranteed. Many early attempts fail because teams focus on the model instead of the end‑to‑end solution or because projects are driven by hype rather than measurable outcomes. This article distills lessons from real‑world AI deployments across industries and outlines practices for experienced developers and tech leads who want to deliver sustainable value.</p> <h2> Why AI projects succeed or fail </h2> <p>AI projects differ from traditional software projects. Models are only as good as the data they are trained on and the surrounding infrastructure. <em>Michelle K. Lee</em>, former director of the U.S. Patent and Trademark Office and now VP of machine learning at Amazon Web Services, notes that successful machine‑learning solutions start with a <strong>strong data strategy</strong>—treating data as an organizational asset, democratizing access, ensuring compliance and putting it to work through analytics【138012276578581†L169-L193】. Without accessible, high‑quality data, teams spend their time cleaning and wrangling rather than building models【138012276578581†L174-L182】.</p> <p>Selecting the right use cases is equally important. Lee advises businesses to start by identifying high‑impact problems that have sufficient data and are amenable to machine learning【138012276578581†L204-L214】. A high‑impact problem without data will frustrate data scientists, while a well‑supported use case with low business impact will fail to gain adoption【138012276578581†L206-L213】. In short, <strong>not every problem is solvable by AI</strong>; tech leads must weigh data readiness, business value and ML applicability【138012276578581†L215-L217】.</p> <h2> Seven lessons from successful machine‑learning projects </h2> <p>The MIT Sloan article “7 lessons to ensure successful machine learning projects” summarises insights from real deployments【138012276578581†L169-L193】. Key takeaways for practitioners:</p> <ul> <li> <strong>Invest in data strategy</strong> – treat data as an organizational asset, democratize access and build pipelines that support analytics and machine learning【138012276578581†L169-L193】.</li> <li> <strong>Choose use cases wisely</strong> – align projects with business goals, assess data availability, model feasibility and define clear success metrics【138012276578581†L204-L214】.</li> <li> <strong>Build cross‑functional teams</strong> – combine technical experts with domain experts to close cultural gaps and ensure adoption【138012276578581†L228-L235】.</li> <li> <strong>Secure executive sponsorship and foster experimentation</strong> – projects need top‑level support and a culture that tolerates initial under‑performance and treats failures as learning opportunities【138012276578581†L237-L249】.</li> <li> <strong>Address skills gaps</strong> – train existing staff and provide resources for both engineers and business leaders to understand ML【138012276578581†L252-L258】.</li> <li> <strong>Invest in infrastructure and tools</strong> – avoid reinventing the wheel; use managed services and platforms to free teams from undifferentiated heavy lifting【138012276578581†L269-L281】.</li> <li> <strong>Plan for the long term</strong> – machine‑learning models need continuous retraining and maintenance; start with small projects, demonstrate value and iterate【138012276578581†L283-L295】.</li> </ul> <p>These lessons apply across industries and are particularly relevant for teams building AI features into large codebases. They emphasize organisational readiness (data and culture) and the importance of small, measurable wins.</p> <h2> Hard truths from the early days of generative AI </h2> <p>Generative AI has exploded in popularity, but many organisations are still experimenting. A McKinsey survey found that while 65 % of respondents were using generative AI, only 10 % had scaled it successfully【249839388272364†L165-L161】. At the MIT Sloan CIO Symposium, <strong>Aamer Baig</strong> highlighted seven “hard truths” for generative‑AI adoption【249839388272364†L165-L181】:</p> <ol> <li> <strong>Not all use cases are equal</strong> – generative AI initiatives are often scattershot and don’t improve the bottom line; prioritise high‑value, feasible and low‑risk use cases【249839388272364†L169-L181】.</li> <li> <strong>It’s about the stack, not just the model</strong> – enterprise‑scale AI requires 20–30 components such as large language models, data gateways, prompt engineering, security and orchestration【249839388272364†L183-L190】. Teams must integrate the entire stack rather than focusing only on the model.</li> <li> <strong>Manage costs carefully</strong> – change management can cost up to three times the technology itself; generative‑AI maintenance may equal development costs【249839388272364†L200-L218】. Budget accordingly and make informed platform choices.</li> <li> <strong>Tame tool proliferation</strong> – standardise tools to avoid fragmentation and maintain team productivity【249839388272364†L224-L229】.</li> <li> <strong>Assemble product‑oriented teams</strong> – organise work around integrated, cross‑functional pods with visibility from top management【249839388272364†L231-L239】.</li> <li> <strong>Get the right data, not perfect data</strong> – focus on data domains that can be reused across multiple use cases; perfection is not required to start【249839388272364†L249-L254】.</li> <li> <strong>Reuse models, prompts and patterns</strong> – develop reuse strategies for AI assets to accelerate delivery and sustain impact【249839388272364†L256-L262】.</li> </ol> <p>These principles mirror the earlier lessons: start small, integrate the stack, manage costs and focus on reusable infrastructure.</p> <h2> Case studies: small‑scale transformations and industry examples </h2> <p><strong>CarMax:</strong> CarMax uses generative AI to summarise thousands of customer reviews so that shoppers can quickly compare vehicles【371789606176673†L164-L190】. By targeting a specific, high‑impact task (content summarisation), CarMax achieved measurable value without overhauling its entire tech stack【371789606176673†L195-L199】. This demonstrates the benefit of starting with well‑scoped use cases.</p> <p><strong>E‑commerce chatbots:</strong> Many retailers deploy chatbots built on large language models to deliver personalised shopping experiences and support. MIT Sloan notes that companies such as Adobe and Canva embed generative AI tools directly into their products, enabling users to generate designs or content【371789606176673†L187-L190】. These features are integrated into existing workflows rather than replacing them.</p> <p><strong>Colgate‑Palmolive:</strong> The consumer goods firm applies <strong>retrieval‑augmented generation</strong> to its vast trove of proprietary research and third‑party data【371789606176673†L206-L218】. Employees can query this data using natural language and receive synthesized insights, speeding up market research. Colgate also uses generative AI to develop and test new product concepts with <strong>digital consumer twins</strong>, enabling rapid iteration and reducing the need for physical focus groups【371789606176673†L221-L226】. Access to the company’s AI hub requires training in responsible use, and thousands of employees report improved creativity【371789606176673†L228-L233】. This case underscores the value of combining domain expertise with AI and investing in governance and education.</p> <p><strong>Liberty Mutual and Sanofi:</strong> These companies use <strong>intelligent choice architectures</strong> that combine predictive and generative AI to generate sets of options and explain trade‑offs【371789606176673†L237-L256】. Liberty Mutual helps claims adjusters triage calls, while Sanofi uses AI to optimise investment decisions and overcome sunk‑cost bias【371789606176673†L248-L252】. Such systems shift decision rights from individuals to the environment, raising governance questions about accountability and oversight【371789606176673†L254-L263】.</p> <p>These case studies illustrate that successful AI applications often start with narrowly defined, high‑value tasks and expand gradually. They also highlight the importance of <strong>human oversight</strong>, <strong>data governance</strong> and <strong>employee training</strong>.</p> <h2> Lessons for developers and tech leads </h2> <p>For engineers building AI‑powered features, the following guidelines can help turn theory into practice:</p> <ul> <li><p><strong>Start with a concrete problem and success metrics.</strong> Identify pain points where AI can deliver quantifiable improvements (e.g., reducing support response times or increasing conversion rates). Define how you will measure success and align with business stakeholders.</p></li> <li><p><strong>Prioritise data quality and accessibility.</strong> Work with data engineers to ensure that the necessary data is available, clean and ethically sourced. Document data lineage and include bias checks【138012276578581†L169-L193】.</p></li> <li><p><strong>Design for privacy and security.</strong> Consider how sensitive information flows through your models, apply differential privacy where appropriate and adhere to regulations such as GDPR or Brazil’s LGPD. Use retrieval‑augmented generation or prompt sanitization to prevent leaking confidential data.</p></li> <li><p><strong>Choose the right architecture.</strong> For classical ML tasks, you might deploy models behind REST or gRPC APIs; for generative AI features, you may need to orchestrate multiple services—LLMs, embedding databases, vector stores and caching layers【249839388272364†L183-L190】. Build modular services that you can swap out as models evolve.</p></li> <li><p><strong>Invest in MLOps and monitoring.</strong> Automate model training, deployment and rollback. Monitor accuracy, latency and drift; plan for retraining and iterative improvement【138012276578581†L283-L295】.</p></li> <li><p><strong>Implement responsible AI practices.</strong> Build fairness and explainability into your pipeline. Document model limitations and include human‑in‑the‑loop mechanisms for high‑impact decisions. Train team members on responsible use, as Colgate‑Palmolive does with its AI hub【371789606176673†L228-L233】.</p></li> <li><p><strong>Iterate and scale gradually.</strong> Start with a pilot, validate value, then integrate AI deeper into your stack. Reuse models, prompts and infrastructure to accelerate subsequent projects【249839388272364†L256-L262】.</p></li> </ul> <h2> Summary </h2> <p>Real‑world AI success is less about the sophistication of the model and more about <strong>data readiness</strong>, <strong>problem selection</strong>, <strong>team collaboration</strong> and <strong>governance</strong>. Lessons from MIT Sloan highlight the need for a strong data strategy, carefully chosen use cases, cross‑functional teams and long‑term thinking【138012276578581†L169-L193】【138012276578581†L204-L214】. Generative AI adds additional challenges: integrating an entire tech stack, managing costs and ensuring reuse【249839388272364†L183-L190】【249839388272364†L200-L218】. Case studies from CarMax, Colgate‑Palmolive, Liberty Mutual and Sanofi demonstrate that starting with targeted, high‑value applications and investing in training and governance leads to measurable outcomes【371789606176673†L164-L190】【371789606176673†L206-L233】. By applying these lessons, experienced developers and tech leads can build AI solutions that deliver real value while minimizing risk.</p> ai machinelearning casestudy techlead How to Create Two‑Factor Authentication (2FA) and Best Practices Wesley Israel Fri, 01 Aug 2025 23:24:28 +0000 https://dev.to/wesleyisr4/how-to-create-two-factor-authentication-2fa-and-best-practices-4mjl https://dev.to/wesleyisr4/how-to-create-two-factor-authentication-2fa-and-best-practices-4mjl <p>Two‑factor authentication (2FA) is no longer optional for modern web and mobile applications. Passwords are easy to guess, steal or reuse, and API endpoints are under constant attack (some sources estimate <strong>over 90 k attacks on APIs per minute</strong>[1]). By adding a second factor—such as a time‑based one‑time password (TOTP), hardware token or passkey—you drastically reduce the risk of credential stuffing, phishing, session hijacking and other common threats. In this article you will learn <strong>why 2FA matters, how to implement it in a Node.js/TypeScript backend and integrate it with React/Next.js</strong>, and what security practices you should follow to avoid common pitfalls.</p> <h2> Why 2FA matters </h2> <p>Two‑factor authentication is a specific type of multi‑factor authentication requiring <strong>two distinct forms of identification</strong>[1]. The most common combination is “something you know” (password or PIN) and “something you have” (smartphone running an authenticator app). 2FA mitigates several attack vectors:</p> <ul> <li> <strong>Credential theft and replay attacks</strong> – Even if a password is compromised, an attacker cannot log in without the second factor.</li> <li> <strong>Phishing and social engineering</strong> – OTPs expire quickly and cannot be reused.</li> <li> <strong>Brute‑force and credential stuffing</strong> – Rate‑limiting on OTP verification makes automated attacks impractical[3].</li> </ul> <p>2FA is also <strong>simple and cost‑effective for end users</strong>. Most authenticator apps (Google Authenticator, Authy, Microsoft Authenticator) are free and widely available, and scanning a QR code is easier than typing complex passwords[1].</p> <h2> Recommended 2FA strategies </h2> <p>The OWASP Multifactor Authentication cheat sheet outlines several high‑level recommendations suitable for most applications[2]:</p> <ul> <li>Require <strong>some form of MFA for all users</strong>.</li> <li>Provide users the option to enable MFA using <strong>TOTP</strong>.</li> <li>Always enforce MFA for <strong>administrators or high‑privilege accounts</strong>.</li> <li>Implement a <strong>secure MFA reset process</strong> (recovery codes, support workflow).</li> <li>Consider third‑party MFA providers if you lack the resources to build and maintain your own implementation.</li> </ul> <p>Teleport’s <strong>Authentication Best Practices</strong> add further hardening guidelines[3]:</p> <ul> <li>Prefer <strong>passwordless or hardware‑token (U2F) based 2FA</strong> over TOTP or SMS.</li> <li>Ensure <strong>authenticated sessions are created only after successful 2FA verification</strong>.</li> <li>Require <strong>re‑authentication to change 2FA settings</strong>.</li> <li>Apply <strong>rate‑limiting</strong> to failed 2FA attempts.</li> </ul> <p>These recommendations should drive your design regardless of the framework or language you use.</p> <h2> Implementing TOTP 2FA in Node.js / TypeScript </h2> <h3> Choosing a library </h3> <p>Historically many tutorials used the <a href="https://github.com/levelfour/speakeasy" rel="noopener noreferrer">speakeasy</a> library to generate and verify TOTPs. However, <strong>speakeasy has not been updated in several years</strong>, prompting many developers to switch to more actively maintained alternatives. The <a href="https://codevoweb.com/two-factor-authentication-2fa-in-nodejs/" rel="noopener noreferrer">codevoweb tutorial</a> notes that speakeasy’s maintenance gap is a common pain point and recommends using the <code>otpauth</code> library instead[1].</p> <p>We will use the <a href="https://www.npmjs.com/package/otpauth" rel="noopener noreferrer"><code>otpauth</code></a> package for generating secrets and verifying tokens. You will also need <code>qrcode</code> to render the QR code used by the authenticator app.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>npm <span class="nb">install </span>otpauth qrcode </code></pre> </div> <h3> Generating a TOTP secret and QR code </h3> <p>Create a helper module <code>2fa.ts</code> that handles generation and verification of TOTP secrets. The example uses TypeScript and assumes you store the secret in your database associated with the user record (ideally encrypted at rest):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// src/utils/twoFactor.ts</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">TOTP</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">otpauth</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="nx">QRCode</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">qrcode</span><span class="dl">'</span><span class="p">;</span> <span class="k">export</span> <span class="kr">interface</span> <span class="nx">TwoFactorSecret</span> <span class="p">{</span> <span class="nl">secret</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="c1">// base32 encoded secret</span> <span class="nl">otpauthUrl</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="c1">// URI for authenticator apps</span> <span class="nl">qrCodeDataUrl</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="c1">// data URL for QR code</span> <span class="p">}</span> <span class="cm">/** * Generate a TOTP secret for a user and return the secret and QR code. */</span> <span class="k">export</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">generateTwoFactorSecret</span><span class="p">(</span><span class="nx">userEmail</span><span class="p">:</span> <span class="kr">string</span><span class="p">):</span> <span class="nb">Promise</span><span class="o">&lt;</span><span class="nx">TwoFactorSecret</span><span class="o">&gt;</span> <span class="p">{</span> <span class="c1">// The label becomes the account name shown in the authenticator app</span> <span class="kd">const</span> <span class="nx">totp</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">TOTP</span><span class="p">({</span> <span class="na">issuer</span><span class="p">:</span> <span class="dl">'</span><span class="s1">YourAppName</span><span class="dl">'</span><span class="p">,</span> <span class="na">label</span><span class="p">:</span> <span class="nx">userEmail</span><span class="p">,</span> <span class="na">algorithm</span><span class="p">:</span> <span class="dl">'</span><span class="s1">SHA1</span><span class="dl">'</span><span class="p">,</span> <span class="c1">// RFC 6238 default</span> <span class="na">digits</span><span class="p">:</span> <span class="mi">6</span><span class="p">,</span> <span class="na">period</span><span class="p">:</span> <span class="mi">30</span><span class="p">,</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">secret</span> <span class="o">=</span> <span class="nx">totp</span><span class="p">.</span><span class="nx">secret</span><span class="p">.</span><span class="nx">base32</span><span class="p">;</span> <span class="c1">// store this in DB (encrypted)</span> <span class="kd">const</span> <span class="nx">otpauthUrl</span> <span class="o">=</span> <span class="nx">totp</span><span class="p">.</span><span class="nf">toString</span><span class="p">();</span> <span class="kd">const</span> <span class="nx">qrCodeDataUrl</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">QRCode</span><span class="p">.</span><span class="nf">toDataURL</span><span class="p">(</span><span class="nx">otpauthUrl</span><span class="p">);</span> <span class="k">return</span> <span class="p">{</span> <span class="nx">secret</span><span class="p">,</span> <span class="nx">otpauthUrl</span><span class="p">,</span> <span class="nx">qrCodeDataUrl</span> <span class="p">};</span> <span class="p">}</span> <span class="cm">/** * Verify a user‑supplied TOTP token. */</span> <span class="k">export</span> <span class="kd">function</span> <span class="nf">verifyTwoFactorToken</span><span class="p">(</span><span class="nx">token</span><span class="p">:</span> <span class="kr">string</span><span class="p">,</span> <span class="nx">secret</span><span class="p">:</span> <span class="kr">string</span><span class="p">):</span> <span class="nx">boolean</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">totp</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">TOTP</span><span class="p">({</span> <span class="nx">secret</span> <span class="p">});</span> <span class="c1">// Use the built‑in check; allows slight clock drift and returns the matching delta</span> <span class="kd">const</span> <span class="nx">delta</span> <span class="o">=</span> <span class="nx">totp</span><span class="p">.</span><span class="nf">validate</span><span class="p">({</span> <span class="nx">token</span><span class="p">,</span> <span class="na">window</span><span class="p">:</span> <span class="mi">1</span> <span class="p">});</span> <span class="k">return</span> <span class="nx">delta</span> <span class="o">!==</span> <span class="kc">null</span><span class="p">;</span> <span class="p">}</span> </code></pre> </div> <p>The <code>generateTwoFactorSecret</code> function constructs a new TOTP with an <strong>issuer</strong> (your application name) and <strong>label</strong> (the user’s email) and returns a Base32 secret and a QR code. The <code>verifyTwoFactorToken</code> function validates a 6‑digit token using the secret stored in your database and allows a small time window (<code>window: 1</code>) to account for clock drift.</p> <h3> Express route handlers </h3> <p>Create a set of endpoints to enable, verify and disable 2FA for a user. These handlers assume you have user authentication and session management in place using JWT or session cookies. The 2FA state is stored on the user model (<code>twoFactorEnabled: boolean</code>, <code>twoFactorSecret: string | null</code>).<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// src/routes/twoFactorRoutes.ts</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">Router</span><span class="p">,</span> <span class="nx">Request</span><span class="p">,</span> <span class="nx">Response</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">express</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">generateTwoFactorSecret</span><span class="p">,</span> <span class="nx">verifyTwoFactorToken</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">../utils/twoFactor</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">prisma</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">../db</span><span class="dl">'</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">router</span> <span class="o">=</span> <span class="nc">Router</span><span class="p">();</span> <span class="c1">// Step 1: generate secret and send QR code</span> <span class="nx">router</span><span class="p">.</span><span class="nf">post</span><span class="p">(</span><span class="dl">'</span><span class="s1">/generate</span><span class="dl">'</span><span class="p">,</span> <span class="k">async </span><span class="p">(</span><span class="nx">req</span><span class="p">:</span> <span class="nx">Request</span><span class="p">,</span> <span class="nx">res</span><span class="p">:</span> <span class="nx">Response</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">userId</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">user</span><span class="p">.</span><span class="nx">id</span><span class="p">;</span> <span class="c1">// assume user is authenticated</span> <span class="kd">const</span> <span class="nx">user</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">prisma</span><span class="p">.</span><span class="nx">user</span><span class="p">.</span><span class="nf">findUnique</span><span class="p">({</span> <span class="na">where</span><span class="p">:</span> <span class="p">{</span> <span class="na">id</span><span class="p">:</span> <span class="nx">userId</span> <span class="p">}</span> <span class="p">});</span> <span class="k">if </span><span class="p">(</span><span class="nx">user</span><span class="p">?.</span><span class="nx">twoFactorEnabled</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">400</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">message</span><span class="p">:</span> <span class="dl">'</span><span class="s1">2FA already enabled</span><span class="dl">'</span> <span class="p">});</span> <span class="p">}</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">secret</span><span class="p">,</span> <span class="nx">qrCodeDataUrl</span> <span class="p">}</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">generateTwoFactorSecret</span><span class="p">(</span><span class="nx">user</span><span class="p">.</span><span class="nx">email</span><span class="p">);</span> <span class="c1">// Save secret (hashed or encrypted) but don’t mark 2FA as enabled yet</span> <span class="k">await</span> <span class="nx">prisma</span><span class="p">.</span><span class="nx">user</span><span class="p">.</span><span class="nf">update</span><span class="p">({</span> <span class="na">where</span><span class="p">:</span> <span class="p">{</span> <span class="na">id</span><span class="p">:</span> <span class="nx">userId</span> <span class="p">},</span> <span class="na">data</span><span class="p">:</span> <span class="p">{</span> <span class="na">twoFactorTempSecret</span><span class="p">:</span> <span class="nx">secret</span> <span class="p">}</span> <span class="p">});</span> <span class="nx">res</span><span class="p">.</span><span class="nf">json</span><span class="p">({</span> <span class="nx">qrCodeDataUrl</span> <span class="p">});</span> <span class="p">});</span> <span class="c1">// Step 2: verify token and enable 2FA</span> <span class="nx">router</span><span class="p">.</span><span class="nf">post</span><span class="p">(</span><span class="dl">'</span><span class="s1">/verify</span><span class="dl">'</span><span class="p">,</span> <span class="k">async </span><span class="p">(</span><span class="nx">req</span><span class="p">:</span> <span class="nx">Request</span><span class="p">,</span> <span class="nx">res</span><span class="p">:</span> <span class="nx">Response</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">token</span> <span class="p">}</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">body</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">userId</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">user</span><span class="p">.</span><span class="nx">id</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">user</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">prisma</span><span class="p">.</span><span class="nx">user</span><span class="p">.</span><span class="nf">findUnique</span><span class="p">({</span> <span class="na">where</span><span class="p">:</span> <span class="p">{</span> <span class="na">id</span><span class="p">:</span> <span class="nx">userId</span> <span class="p">}</span> <span class="p">});</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">user</span><span class="p">?.</span><span class="nx">twoFactorTempSecret</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">400</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">message</span><span class="p">:</span> <span class="dl">'</span><span class="s1">No 2FA setup in progress</span><span class="dl">'</span> <span class="p">});</span> <span class="p">}</span> <span class="kd">const</span> <span class="nx">isValid</span> <span class="o">=</span> <span class="nf">verifyTwoFactorToken</span><span class="p">(</span><span class="nx">token</span><span class="p">,</span> <span class="nx">user</span><span class="p">.</span><span class="nx">twoFactorTempSecret</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">isValid</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">400</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">message</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Invalid token</span><span class="dl">'</span> <span class="p">});</span> <span class="p">}</span> <span class="c1">// Move the secret to permanent field and mark as enabled</span> <span class="k">await</span> <span class="nx">prisma</span><span class="p">.</span><span class="nx">user</span><span class="p">.</span><span class="nf">update</span><span class="p">({</span> <span class="na">where</span><span class="p">:</span> <span class="p">{</span> <span class="na">id</span><span class="p">:</span> <span class="nx">userId</span> <span class="p">},</span> <span class="na">data</span><span class="p">:</span> <span class="p">{</span> <span class="na">twoFactorSecret</span><span class="p">:</span> <span class="nx">user</span><span class="p">.</span><span class="nx">twoFactorTempSecret</span><span class="p">,</span> <span class="na">twoFactorTempSecret</span><span class="p">:</span> <span class="kc">null</span><span class="p">,</span> <span class="na">twoFactorEnabled</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="p">},</span> <span class="p">});</span> <span class="nx">res</span><span class="p">.</span><span class="nf">json</span><span class="p">({</span> <span class="na">message</span><span class="p">:</span> <span class="dl">'</span><span class="s1">2FA enabled</span><span class="dl">'</span> <span class="p">});</span> <span class="p">});</span> <span class="c1">// Step 3: validate 2FA token during login</span> <span class="nx">router</span><span class="p">.</span><span class="nf">post</span><span class="p">(</span><span class="dl">'</span><span class="s1">/validate</span><span class="dl">'</span><span class="p">,</span> <span class="k">async </span><span class="p">(</span><span class="nx">req</span><span class="p">:</span> <span class="nx">Request</span><span class="p">,</span> <span class="nx">res</span><span class="p">:</span> <span class="nx">Response</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">token</span> <span class="p">}</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">body</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">userId</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">user</span><span class="p">.</span><span class="nx">id</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">user</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">prisma</span><span class="p">.</span><span class="nx">user</span><span class="p">.</span><span class="nf">findUnique</span><span class="p">({</span> <span class="na">where</span><span class="p">:</span> <span class="p">{</span> <span class="na">id</span><span class="p">:</span> <span class="nx">userId</span> <span class="p">}</span> <span class="p">});</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">user</span><span class="p">?.</span><span class="nx">twoFactorEnabled</span> <span class="o">||</span> <span class="o">!</span><span class="nx">user</span><span class="p">.</span><span class="nx">twoFactorSecret</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">400</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">message</span><span class="p">:</span> <span class="dl">'</span><span class="s1">2FA not enabled</span><span class="dl">'</span> <span class="p">});</span> <span class="p">}</span> <span class="kd">const</span> <span class="nx">isValid</span> <span class="o">=</span> <span class="nf">verifyTwoFactorToken</span><span class="p">(</span><span class="nx">token</span><span class="p">,</span> <span class="nx">user</span><span class="p">.</span><span class="nx">twoFactorSecret</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">isValid</span><span class="p">)</span> <span class="p">{</span> <span class="c1">// Optionally increment failed attempt counter and rate‑limit</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">400</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">message</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Invalid token</span><span class="dl">'</span> <span class="p">});</span> <span class="p">}</span> <span class="c1">// Mark the session as 2FA‑verified</span> <span class="nx">req</span><span class="p">.</span><span class="nx">session</span><span class="p">.</span><span class="nx">twoFactorVerified</span> <span class="o">=</span> <span class="kc">true</span><span class="p">;</span> <span class="nx">res</span><span class="p">.</span><span class="nf">json</span><span class="p">({</span> <span class="na">message</span><span class="p">:</span> <span class="dl">'</span><span class="s1">2FA validation successful</span><span class="dl">'</span> <span class="p">});</span> <span class="p">});</span> <span class="c1">// Step 4: disable 2FA (require re‑authentication and 2FA)</span> <span class="nx">router</span><span class="p">.</span><span class="nf">post</span><span class="p">(</span><span class="dl">'</span><span class="s1">/disable</span><span class="dl">'</span><span class="p">,</span> <span class="k">async </span><span class="p">(</span><span class="nx">req</span><span class="p">:</span> <span class="nx">Request</span><span class="p">,</span> <span class="nx">res</span><span class="p">:</span> <span class="nx">Response</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">token</span> <span class="p">}</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">body</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">userId</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">user</span><span class="p">.</span><span class="nx">id</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">user</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">prisma</span><span class="p">.</span><span class="nx">user</span><span class="p">.</span><span class="nf">findUnique</span><span class="p">({</span> <span class="na">where</span><span class="p">:</span> <span class="p">{</span> <span class="na">id</span><span class="p">:</span> <span class="nx">userId</span> <span class="p">}</span> <span class="p">});</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">user</span><span class="p">?.</span><span class="nx">twoFactorEnabled</span> <span class="o">||</span> <span class="o">!</span><span class="nx">user</span><span class="p">.</span><span class="nx">twoFactorSecret</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">400</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">message</span><span class="p">:</span> <span class="dl">'</span><span class="s1">2FA not enabled</span><span class="dl">'</span> <span class="p">});</span> <span class="p">}</span> <span class="c1">// Verify token again before disabling</span> <span class="kd">const</span> <span class="nx">isValid</span> <span class="o">=</span> <span class="nf">verifyTwoFactorToken</span><span class="p">(</span><span class="nx">token</span><span class="p">,</span> <span class="nx">user</span><span class="p">.</span><span class="nx">twoFactorSecret</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">isValid</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">400</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">message</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Invalid token</span><span class="dl">'</span> <span class="p">});</span> <span class="p">}</span> <span class="k">await</span> <span class="nx">prisma</span><span class="p">.</span><span class="nx">user</span><span class="p">.</span><span class="nf">update</span><span class="p">({</span> <span class="na">where</span><span class="p">:</span> <span class="p">{</span> <span class="na">id</span><span class="p">:</span> <span class="nx">userId</span> <span class="p">},</span> <span class="na">data</span><span class="p">:</span> <span class="p">{</span> <span class="na">twoFactorEnabled</span><span class="p">:</span> <span class="kc">false</span><span class="p">,</span> <span class="na">twoFactorSecret</span><span class="p">:</span> <span class="kc">null</span> <span class="p">},</span> <span class="p">});</span> <span class="nx">res</span><span class="p">.</span><span class="nf">json</span><span class="p">({</span> <span class="na">message</span><span class="p">:</span> <span class="dl">'</span><span class="s1">2FA disabled</span><span class="dl">'</span> <span class="p">});</span> <span class="p">});</span> <span class="k">export</span> <span class="k">default</span> <span class="nx">router</span><span class="p">;</span> </code></pre> </div> <h4> Key security considerations </h4> <ul> <li> <strong>Never store TOTP secrets in plain text</strong>. Encrypt secrets at rest (e.g., with libsodium or AWS KMS) and <strong>hash</strong> them using HMAC if you only need to verify tokens but not regenerate the QR code.</li> <li> <strong>Rate‑limit failed verification attempts</strong> to mitigate brute‑force attacks[3].</li> <li> <strong>Mark the session as 2FA‑verified</strong> after successful token validation and require this flag before issuing a JWT or setting a session cookie[3].</li> <li> <strong>Require password+2FA for sensitive operations</strong> (updating email, password, or disabling 2FA)[2].</li> </ul> <h2> Integrating 2FA into React / Next.js </h2> <p>For the frontend we will build a simple component to enable and verify 2FA. When the user clicks “Enable 2FA,” the client fetches the QR code from <code>/generate</code>. The user scans the code with an authenticator app and enters the current 6‑digit token to enable 2FA.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight tsx"><code><span class="c1">// components/TwoFactorSetup.tsx</span> <span class="k">import</span> <span class="nx">React</span><span class="p">,</span> <span class="p">{</span> <span class="nx">useState</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">react</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="nx">Image</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">next/image</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="nx">axios</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">axios</span><span class="dl">'</span><span class="p">;</span> <span class="k">export</span> <span class="k">default</span> <span class="kd">function</span> <span class="nf">TwoFactorSetup</span><span class="p">()</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">[</span><span class="nx">qrCode</span><span class="p">,</span> <span class="nx">setQrCode</span><span class="p">]</span> <span class="o">=</span> <span class="nx">useState</span><span class="o">&lt;</span><span class="kr">string</span> <span class="o">|</span> <span class="kc">null</span><span class="o">&gt;</span><span class="p">(</span><span class="kc">null</span><span class="p">);</span> <span class="kd">const</span> <span class="p">[</span><span class="nx">token</span><span class="p">,</span> <span class="nx">setToken</span><span class="p">]</span> <span class="o">=</span> <span class="nf">useState</span><span class="p">(</span><span class="dl">''</span><span class="p">);</span> <span class="kd">const</span> <span class="p">[</span><span class="nx">enabled</span><span class="p">,</span> <span class="nx">setEnabled</span><span class="p">]</span> <span class="o">=</span> <span class="nf">useState</span><span class="p">(</span><span class="kc">false</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">handleGenerate</span> <span class="o">=</span> <span class="k">async </span><span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">res</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">axios</span><span class="p">.</span><span class="nf">post</span><span class="p">(</span><span class="dl">'</span><span class="s1">/api/auth/otp/generate</span><span class="dl">'</span><span class="p">);</span> <span class="nf">setQrCode</span><span class="p">(</span><span class="nx">res</span><span class="p">.</span><span class="nx">data</span><span class="p">.</span><span class="nx">qrCodeDataUrl</span><span class="p">);</span> <span class="p">};</span> <span class="kd">const</span> <span class="nx">handleVerify</span> <span class="o">=</span> <span class="k">async </span><span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">try</span> <span class="p">{</span> <span class="k">await</span> <span class="nx">axios</span><span class="p">.</span><span class="nf">post</span><span class="p">(</span><span class="dl">'</span><span class="s1">/api/auth/otp/verify</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="nx">token</span> <span class="p">});</span> <span class="nf">setEnabled</span><span class="p">(</span><span class="kc">true</span><span class="p">);</span> <span class="p">}</span> <span class="k">catch </span><span class="p">(</span><span class="nx">err</span><span class="p">)</span> <span class="p">{</span> <span class="nf">alert</span><span class="p">(</span><span class="dl">'</span><span class="s1">Invalid token</span><span class="dl">'</span><span class="p">);</span> <span class="p">}</span> <span class="p">};</span> <span class="k">return </span><span class="p">(</span> <span class="p">&lt;</span><span class="nt">div</span><span class="p">&gt;</span> <span class="si">{</span><span class="o">!</span><span class="nx">qrCode</span> <span class="o">&amp;&amp;</span> <span class="o">!</span><span class="nx">enabled</span> <span class="o">&amp;&amp;</span> <span class="p">(</span> <span class="p">&lt;</span><span class="nt">button</span> <span class="na">onClick</span><span class="p">=</span><span class="si">{</span><span class="nx">handleGenerate</span><span class="si">}</span><span class="p">&gt;</span>Enable 2FA<span class="p">&lt;/</span><span class="nt">button</span><span class="p">&gt;</span> <span class="p">)</span><span class="si">}</span> <span class="si">{</span><span class="nx">qrCode</span> <span class="o">&amp;&amp;</span> <span class="o">!</span><span class="nx">enabled</span> <span class="o">&amp;&amp;</span> <span class="p">(</span> <span class="p">&lt;</span><span class="nt">div</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nt">p</span><span class="p">&gt;</span>Scan this QR code with your authenticator app:<span class="p">&lt;/</span><span class="nt">p</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nc">Image</span> <span class="na">src</span><span class="p">=</span><span class="si">{</span><span class="nx">qrCode</span><span class="si">}</span> <span class="na">alt</span><span class="p">=</span><span class="s">"2FA QR code"</span> <span class="na">width</span><span class="p">=</span><span class="si">{</span><span class="mi">150</span><span class="si">}</span> <span class="na">height</span><span class="p">=</span><span class="si">{</span><span class="mi">150</span><span class="si">}</span> <span class="p">/&gt;</span> <span class="p">&lt;</span><span class="nt">input</span> <span class="na">type</span><span class="p">=</span><span class="s">"text"</span> <span class="na">placeholder</span><span class="p">=</span><span class="s">"Enter 6‑digit code"</span> <span class="na">value</span><span class="p">=</span><span class="si">{</span><span class="nx">token</span><span class="si">}</span> <span class="na">onChange</span><span class="p">=</span><span class="si">{</span><span class="p">(</span><span class="nx">e</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nf">setToken</span><span class="p">(</span><span class="nx">e</span><span class="p">.</span><span class="nx">target</span><span class="p">.</span><span class="nx">value</span><span class="p">)</span><span class="si">}</span> <span class="p">/&gt;</span> <span class="p">&lt;</span><span class="nt">button</span> <span class="na">onClick</span><span class="p">=</span><span class="si">{</span><span class="nx">handleVerify</span><span class="si">}</span><span class="p">&gt;</span>Verify <span class="err">&amp;</span> Activate<span class="p">&lt;/</span><span class="nt">button</span><span class="p">&gt;</span> <span class="p">&lt;/</span><span class="nt">div</span><span class="p">&gt;</span> <span class="p">)</span><span class="si">}</span> <span class="si">{</span><span class="nx">enabled</span> <span class="o">&amp;&amp;</span> <span class="p">&lt;</span><span class="nt">p</span><span class="p">&gt;</span>Two‑factor authentication is enabled on your account.<span class="p">&lt;/</span><span class="nt">p</span><span class="p">&gt;</span><span class="si">}</span> <span class="p">&lt;/</span><span class="nt">div</span><span class="p">&gt;</span> <span class="p">);</span> <span class="p">}</span> </code></pre> </div> <p>The server and client exchange JSON only; the actual secret never leaves the server. You should protect these endpoints behind your existing <strong>authentication middleware</strong> so that only authenticated users can enable or disable 2FA.</p> <h3> React Native considerations </h3> <p>For mobile apps built with React Native, you can either:</p> <ul> <li>Delegate scanning to the OS by displaying the <strong>otpauth URL</strong> as a link. On iOS and Android, authenticator apps can intercept <code>otpauth://</code> URIs and prompt the user to add the account.</li> <li>Use a QR‑code scanner library such as <code>react-native-camera</code> or <code>expo-barcode-scanner</code> to scan the QR code and display a manual entry field for the 6‑digit token.</li> </ul> <p>When handling 2FA on mobile, <strong>never embed the TOTP secret in the mobile code</strong>. Always fetch and verify tokens via your backend API.</p> <h2> Beyond TOTP: Passkeys and hardware tokens </h2> <p>TOTP is popular because it is easy to implement and broadly supported. However, modern security guidelines recommend <strong>passwordless or hardware‑based 2FA</strong> whenever possible[3]. Passkeys (FIDO2/WebAuthn) combine the security of possession factors with biometric or PIN verification and provide resistance to phishing[2]. You can integrate passkeys in web applications using the <strong>WebAuthn API</strong> (<code>navigator.credentials.create</code> and <code>navigator.credentials.get</code>) with server‑side libraries like <a href="https://github.com/MasterKale/SimpleWebAuthn" rel="noopener noreferrer">@simplewebauthn/server</a>.</p> <p>Hardware tokens (U2F) provide similar benefits and can be registered as an additional factor. When designing a 2FA system, <strong>offer multiple factor types</strong> (TOTP, passkey, hardware token) and let users select their preferred method. For high‑privilege accounts, require at least one hardware token.</p> <h2> Common mistakes and anti‑patterns </h2> <ul> <li> <strong>Storing secrets insecurely</strong> – Never store TOTP secrets unhashed or unencrypted. Use an HSM or key management service (KMS) to protect secrets.</li> <li> <strong>Relying on SMS or email for 2FA</strong> – SMS OTPs are susceptible to SIM swapping and phishing. Email OTPs can be intercepted. Prefer TOTP, passkeys or hardware tokens[3].</li> <li> <strong>Missing rate‑limiting</strong> – Without rate limits, attackers can brute‑force 2FA tokens. Use algorithms like token bucket or leaky bucket to rate‑limit failed attempts[3].</li> <li> <strong>No session flag for 2FA</strong> – You must track whether a user has completed 2FA. Failing to do so can allow bypassing the second factor by replaying a valid session cookie[3].</li> <li> <strong>Out‑of‑band MFA reset</strong> – Don’t allow users to reset 2FA via email without verifying their identity. Provide recovery codes and require additional verification when resetting MFA[2].</li> <li> <strong>Using unmaintained libraries</strong> – Choose actively maintained TOTP/FIDO2 libraries. The <code>speakeasy</code> library has not been updated for years[1], so prefer alternatives like <code>otpauth</code> or <code>@simplewebauthn</code>.</li> <li> <strong>Prompting for 2FA too often</strong> – Excessive prompts frustrate users and lead them to disable MFA. Implement <strong>risk‑based authentication</strong> to require MFA only in high‑risk scenarios (new device, unusual location)[2].</li> </ul> <h2> Summary and next steps </h2> <p>Two‑factor authentication significantly enhances the security of your applications by requiring an additional proof of identity beyond passwords. Following OWASP’s recommendations—enforcing MFA for all users, providing TOTP for convenience, securing the MFA reset process and considering third‑party providers[2]—will put you on solid footing. When implementing 2FA in your Node.js/TypeScript backend, use reliable libraries like <code>otpauth</code>, secure secrets at rest, track 2FA state in the session and apply rate‑limiting. On the frontend, guide users through scanning a QR code and entering the OTP, and consider supporting passkeys and hardware tokens for a passwordless future[3].</p> <p>With these practices you can ship a robust 2FA solution that protects both your users and your infrastructure. For further reading, explore the <strong>OWASP Multifactor Authentication cheat sheet</strong>, Teleport’s <strong>Authentication Best Practices</strong>, and libraries such as <a href="https://github.com/MasterKale/SimpleWebAuthn" rel="noopener noreferrer"><code>@simplewebauthn/server</code></a> for passkey support.</p> <h2> References </h2> <p>[1] CodevoWeb – <em>How to Implement Two‑factor Authentication (2FA) in Node.js</em>. 2023. <a href="https://codevoweb.com/two-factor-authentication-2fa-in-nodejs/" rel="noopener noreferrer">https://codevoweb.com/two-factor-authentication-2fa-in-nodejs/</a>.</p> <p>[2] OWASP Cheat Sheet Series – <em>Multifactor Authentication Cheat Sheet</em>. <a href="https://cheatsheetseries.owasp.org/cheatsheets/Multifactor_Authentication_Cheat_Sheet.html" rel="noopener noreferrer">https://cheatsheetseries.owasp.org/cheatsheets/Multifactor_Authentication_Cheat_Sheet.html</a>.</p> <p>[3] Teleport – <em>Authentication Best Practices</em> (2022). <a href="https://goteleport.com/blog/authentication-best-practices/" rel="noopener noreferrer">https://goteleport.com/blog/authentication-best-practices/</a>.</p> Implementing a Leaky Bucket Rate Limiting System in Node.js: Wesley Israel Fri, 18 Jul 2025 21:11:32 +0000 https://dev.to/wesleyisr4/implementing-a-leaky-bucket-rate-limiting-system-in-nodejs-35no https://dev.to/wesleyisr4/implementing-a-leaky-bucket-rate-limiting-system-in-nodejs-35no <h2> 📋 Introduction </h2> <p>Recently, I faced a fascinating technical challenge: implementing a complete rate limiting system using the <strong>Leaky Bucket</strong> strategy in Node.js. The project involved creating an HTTP server with authentication, GraphQL for PIX queries, and a multi-tenant system with granular token control.</p> <p>In this article, I'll share my complete implementation journey, from initial architecture to final testing, including all technical decisions and challenges faced.</p> <h2> 🎯 The Challenge </h2> <p>The goal was to build a system that:</p> <ul> <li>✅ Node.js HTTP server with Koa.js and TypeScript</li> <li>✅ Multi-tenancy strategy (each user with their own bucket)</li> <li>✅ Bearer Token authentication (JWT)</li> <li>✅ GraphQL mutation for PIX query</li> <li>✅ Leaky Bucket strategy for token control</li> <li>✅ Complete tests with Jest</li> <li>✅ Postman documentation</li> <li>✅ Load testing with k6</li> </ul> <h2> 🏗️ System Architecture </h2> <h3> Project Structure </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>leaky-bucket/ ├── src/ │ ├── middleware/ # Authentication and rate limiting middlewares │ ├── services/ # Business logic (auth, leaky bucket, PIX) │ ├── graphql/ # GraphQL schema and resolvers │ ├── models/ # Data models │ ├── utils/ # Utilities (JWT, logger, metrics) │ └── server.ts # Main server ├── tests/ # Jest and load tests ├── docs/ # Documentation and Postman └── scripts/ # Automation scripts </code></pre> </div> <h3> Data Flow </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Client → Auth Middleware → Leaky Bucket → GraphQL Resolver → PIX Service </code></pre> </div> <h2> 🔧 Detailed Implementation </h2> <h3> 1. Initial Configuration </h3> <p>I started by configuring the environment with TypeScript and necessary dependencies:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"dependencies"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"koa"</span><span class="p">:</span><span class="w"> </span><span class="s2">"^2.14.2"</span><span class="p">,</span><span class="w"> </span><span class="nl">"koa-router"</span><span class="p">:</span><span class="w"> </span><span class="s2">"^12.0.0"</span><span class="p">,</span><span class="w"> </span><span class="nl">"graphql"</span><span class="p">:</span><span class="w"> </span><span class="s2">"^16.8.1"</span><span class="p">,</span><span class="w"> </span><span class="nl">"apollo-server-koa"</span><span class="p">:</span><span class="w"> </span><span class="s2">"^3.12.1"</span><span class="p">,</span><span class="w"> </span><span class="nl">"jsonwebtoken"</span><span class="p">:</span><span class="w"> </span><span class="s2">"^9.0.2"</span><span class="p">,</span><span class="w"> </span><span class="nl">"bcryptjs"</span><span class="p">:</span><span class="w"> </span><span class="s2">"^2.4.3"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <h3> 2. Multi-Tenancy Strategy </h3> <p>I implemented a system where each user has their own token bucket:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// src/models/user.ts</span> <span class="kr">interface</span> <span class="nx">User</span> <span class="p">{</span> <span class="nl">id</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">email</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">name</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">password</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">tokens</span><span class="p">:</span> <span class="kr">number</span><span class="p">;</span> <span class="nl">maxTokens</span><span class="p">:</span> <span class="kr">number</span><span class="p">;</span> <span class="nl">lastRefill</span><span class="p">:</span> <span class="nb">Date</span><span class="p">;</span> <span class="p">}</span> <span class="kd">class</span> <span class="nc">UserRepository</span> <span class="p">{</span> <span class="k">private</span> <span class="nx">users</span><span class="p">:</span> <span class="nb">Map</span><span class="o">&lt;</span><span class="kr">string</span><span class="p">,</span> <span class="nx">User</span><span class="o">&gt;</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">Map</span><span class="p">();</span> <span class="nf">createUser</span><span class="p">(</span><span class="nx">email</span><span class="p">:</span> <span class="kr">string</span><span class="p">,</span> <span class="nx">password</span><span class="p">:</span> <span class="kr">string</span><span class="p">,</span> <span class="nx">name</span><span class="p">:</span> <span class="kr">string</span><span class="p">):</span> <span class="nx">User</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">user</span><span class="p">:</span> <span class="nx">User</span> <span class="o">=</span> <span class="p">{</span> <span class="na">id</span><span class="p">:</span> <span class="nf">generateId</span><span class="p">(),</span> <span class="nx">email</span><span class="p">,</span> <span class="nx">name</span><span class="p">,</span> <span class="na">password</span><span class="p">:</span> <span class="nf">hashPassword</span><span class="p">(</span><span class="nx">password</span><span class="p">),</span> <span class="na">tokens</span><span class="p">:</span> <span class="mi">10</span><span class="p">,</span> <span class="c1">// Initial tokens</span> <span class="na">maxTokens</span><span class="p">:</span> <span class="mi">10</span><span class="p">,</span> <span class="na">lastRefill</span><span class="p">:</span> <span class="k">new</span> <span class="nc">Date</span><span class="p">(),</span> <span class="p">};</span> <span class="k">this</span><span class="p">.</span><span class="nx">users</span><span class="p">.</span><span class="nf">set</span><span class="p">(</span><span class="nx">user</span><span class="p">.</span><span class="nx">id</span><span class="p">,</span> <span class="nx">user</span><span class="p">);</span> <span class="k">return</span> <span class="nx">user</span><span class="p">;</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h3> 3. JWT Authentication </h3> <p>The authentication middleware validates tokens and extracts user information:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// src/middleware/auth.ts</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">authMiddleware</span> <span class="o">=</span> <span class="k">async </span><span class="p">(</span><span class="nx">ctx</span><span class="p">:</span> <span class="nx">Context</span><span class="p">,</span> <span class="nx">next</span><span class="p">:</span> <span class="nx">Next</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">authHeader</span> <span class="o">=</span> <span class="nx">ctx</span><span class="p">.</span><span class="nx">headers</span><span class="p">.</span><span class="nx">authorization</span><span class="p">;</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">authHeader</span> <span class="o">||</span> <span class="o">!</span><span class="nx">authHeader</span><span class="p">.</span><span class="nf">startsWith</span><span class="p">(</span><span class="dl">'</span><span class="s1">Bearer </span><span class="dl">'</span><span class="p">))</span> <span class="p">{</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">UnauthorizedError</span><span class="p">(</span><span class="dl">'</span><span class="s1">Authentication token required</span><span class="dl">'</span><span class="p">);</span> <span class="p">}</span> <span class="kd">const</span> <span class="nx">token</span> <span class="o">=</span> <span class="nx">authHeader</span><span class="p">.</span><span class="nf">substring</span><span class="p">(</span><span class="mi">7</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">decoded</span> <span class="o">=</span> <span class="nx">jwt</span><span class="p">.</span><span class="nf">verify</span><span class="p">(</span><span class="nx">token</span><span class="p">,</span> <span class="nx">JWT_SECRET</span><span class="p">)</span> <span class="k">as</span> <span class="nx">JWTPayload</span><span class="p">;</span> <span class="nx">ctx</span><span class="p">.</span><span class="nx">state</span><span class="p">.</span><span class="nx">user</span> <span class="o">=</span> <span class="nx">decoded</span><span class="p">;</span> <span class="k">await</span> <span class="nf">next</span><span class="p">();</span> <span class="p">};</span> </code></pre> </div> <h3> 4. Leaky Bucket Strategy </h3> <p>The Leaky Bucket implementation was the heart of the system:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// src/services/leakyBucketService.ts</span> <span class="k">export</span> <span class="kd">class</span> <span class="nc">LeakyBucketService</span> <span class="p">{</span> <span class="k">private</span> <span class="k">readonly</span> <span class="nx">LEAK_RATE</span> <span class="o">=</span> <span class="mi">1</span><span class="p">;</span> <span class="c1">// tokens per second</span> <span class="k">private</span> <span class="k">readonly</span> <span class="nx">REFILL_INTERVAL</span> <span class="o">=</span> <span class="mi">1000</span><span class="p">;</span> <span class="c1">// 1 second</span> <span class="k">async</span> <span class="nf">consumeToken</span><span class="p">(</span><span class="nx">userId</span><span class="p">:</span> <span class="kr">string</span><span class="p">):</span> <span class="nb">Promise</span><span class="o">&lt;</span><span class="nx">boolean</span><span class="o">&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">user</span> <span class="o">=</span> <span class="k">await</span> <span class="k">this</span><span class="p">.</span><span class="nx">userRepository</span><span class="p">.</span><span class="nf">findById</span><span class="p">(</span><span class="nx">userId</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">user</span><span class="p">)</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">Error</span><span class="p">(</span><span class="dl">'</span><span class="s1">User not found</span><span class="dl">'</span><span class="p">);</span> <span class="c1">// Calculate leaked tokens since last refill</span> <span class="kd">const</span> <span class="nx">now</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">Date</span><span class="p">();</span> <span class="kd">const</span> <span class="nx">timeDiff</span> <span class="o">=</span> <span class="nx">now</span><span class="p">.</span><span class="nf">getTime</span><span class="p">()</span> <span class="o">-</span> <span class="nx">user</span><span class="p">.</span><span class="nx">lastRefill</span><span class="p">.</span><span class="nf">getTime</span><span class="p">();</span> <span class="kd">const</span> <span class="nx">leakedTokens</span> <span class="o">=</span> <span class="nb">Math</span><span class="p">.</span><span class="nf">floor</span><span class="p">(</span><span class="nx">timeDiff</span> <span class="o">/</span> <span class="k">this</span><span class="p">.</span><span class="nx">REFILL_INTERVAL</span><span class="p">)</span> <span class="o">*</span> <span class="k">this</span><span class="p">.</span><span class="nx">LEAK_RATE</span><span class="p">;</span> <span class="c1">// Update available tokens</span> <span class="kd">const</span> <span class="nx">newTokens</span> <span class="o">=</span> <span class="nb">Math</span><span class="p">.</span><span class="nf">min</span><span class="p">(</span><span class="nx">user</span><span class="p">.</span><span class="nx">maxTokens</span><span class="p">,</span> <span class="nx">user</span><span class="p">.</span><span class="nx">tokens</span> <span class="o">+</span> <span class="nx">leakedTokens</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">newLastRefill</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">Date</span><span class="p">(</span> <span class="nx">now</span><span class="p">.</span><span class="nf">getTime</span><span class="p">()</span> <span class="o">-</span> <span class="p">(</span><span class="nx">timeDiff</span> <span class="o">%</span> <span class="k">this</span><span class="p">.</span><span class="nx">REFILL_INTERVAL</span><span class="p">)</span> <span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="nx">newTokens</span> <span class="o">&lt;</span> <span class="mi">1</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="kc">false</span><span class="p">;</span> <span class="c1">// No tokens available</span> <span class="p">}</span> <span class="c1">// Consume one token</span> <span class="k">await</span> <span class="k">this</span><span class="p">.</span><span class="nx">userRepository</span><span class="p">.</span><span class="nf">updateTokens</span><span class="p">(</span> <span class="nx">userId</span><span class="p">,</span> <span class="nx">newTokens</span> <span class="o">-</span> <span class="mi">1</span><span class="p">,</span> <span class="nx">newLastRefill</span> <span class="p">);</span> <span class="k">return</span> <span class="kc">true</span><span class="p">;</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h3> 5. GraphQL for PIX Query </h3> <p>I implemented a complete GraphQL schema:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// src/graphql/types.ts</span> <span class="kd">const</span> <span class="nx">typeDefs</span> <span class="o">=</span> <span class="nx">gql</span><span class="s2">` type User { id: ID! email: String! name: String! } type PixQueryResult { success: Boolean! pixKey: String! value: Float! accountHolder: String! accountType: String! bankName: String! message: String! } type TokenStatus { tokens: Int! maxTokens: Int! lastRefill: String! } type Query { tokenStatus: TokenStatus! } type Mutation { register(email: String!, password: String!, name: String!): AuthResult! login(email: String!, password: String!): AuthResult! queryPixKey(pixKey: String!, value: Float!): PixQueryResult! } `</span><span class="p">;</span> </code></pre> </div> <h3> 6. Rate Limiting Middleware </h3> <p>The middleware integrates Leaky Bucket with requests:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// src/middleware/leakyBucket.ts</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">leakyBucketMiddleware</span> <span class="o">=</span> <span class="k">async </span><span class="p">(</span><span class="nx">ctx</span><span class="p">:</span> <span class="nx">Context</span><span class="p">,</span> <span class="nx">next</span><span class="p">:</span> <span class="nx">Next</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">user</span> <span class="o">=</span> <span class="nx">ctx</span><span class="p">.</span><span class="nx">state</span><span class="p">.</span><span class="nx">user</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">hasToken</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">leakyBucketService</span><span class="p">.</span><span class="nf">consumeToken</span><span class="p">(</span><span class="nx">user</span><span class="p">.</span><span class="nx">userId</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">hasToken</span><span class="p">)</span> <span class="p">{</span> <span class="nx">ctx</span><span class="p">.</span><span class="nx">status</span> <span class="o">=</span> <span class="mi">429</span><span class="p">;</span> <span class="c1">// Too Many Requests</span> <span class="nx">ctx</span><span class="p">.</span><span class="nx">body</span> <span class="o">=</span> <span class="p">{</span> <span class="na">error</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Rate limit exceeded</span><span class="dl">'</span><span class="p">,</span> <span class="na">message</span><span class="p">:</span> <span class="dl">'</span><span class="s1">You have exceeded the request limit. Try again in a few seconds.</span><span class="dl">'</span><span class="p">,</span> <span class="p">};</span> <span class="k">return</span><span class="p">;</span> <span class="p">}</span> <span class="k">await</span> <span class="nf">next</span><span class="p">();</span> <span class="p">};</span> </code></pre> </div> <h2> 🧪 Comprehensive Testing </h2> <h3> Unit Tests with Jest </h3> <p>I implemented 68 tests covering all scenarios:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// src/__tests__/leakyBucket.test.ts</span> <span class="nf">describe</span><span class="p">(</span><span class="dl">'</span><span class="s1">LeakyBucketService</span><span class="dl">'</span><span class="p">,</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nf">test</span><span class="p">(</span><span class="dl">'</span><span class="s1">should consume token when available</span><span class="dl">'</span><span class="p">,</span> <span class="k">async </span><span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">service</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">LeakyBucketService</span><span class="p">();</span> <span class="kd">const</span> <span class="nx">result</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">service</span><span class="p">.</span><span class="nf">consumeToken</span><span class="p">(</span><span class="dl">'</span><span class="s1">user1</span><span class="dl">'</span><span class="p">);</span> <span class="nf">expect</span><span class="p">(</span><span class="nx">result</span><span class="p">).</span><span class="nf">toBe</span><span class="p">(</span><span class="kc">true</span><span class="p">);</span> <span class="p">});</span> <span class="nf">test</span><span class="p">(</span><span class="dl">'</span><span class="s1">should reject when no tokens</span><span class="dl">'</span><span class="p">,</span> <span class="k">async </span><span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="c1">// Consume all tokens</span> <span class="k">for </span><span class="p">(</span><span class="kd">let</span> <span class="nx">i</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> <span class="nx">i</span> <span class="o">&lt;</span> <span class="mi">10</span><span class="p">;</span> <span class="nx">i</span><span class="o">++</span><span class="p">)</span> <span class="p">{</span> <span class="k">await</span> <span class="nx">service</span><span class="p">.</span><span class="nf">consumeToken</span><span class="p">(</span><span class="dl">'</span><span class="s1">user1</span><span class="dl">'</span><span class="p">);</span> <span class="p">}</span> <span class="kd">const</span> <span class="nx">result</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">service</span><span class="p">.</span><span class="nf">consumeToken</span><span class="p">(</span><span class="dl">'</span><span class="s1">user1</span><span class="dl">'</span><span class="p">);</span> <span class="nf">expect</span><span class="p">(</span><span class="nx">result</span><span class="p">).</span><span class="nf">toBe</span><span class="p">(</span><span class="kc">false</span><span class="p">);</span> <span class="p">});</span> <span class="p">});</span> </code></pre> </div> <h3> Load Testing with k6 </h3> <p>I created load testing scripts to validate behavior under stress:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// tests/load/stress-test.js</span> <span class="k">import</span> <span class="nx">http</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">k6/http</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">check</span><span class="p">,</span> <span class="nx">sleep</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">k6</span><span class="dl">'</span><span class="p">;</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">options</span> <span class="o">=</span> <span class="p">{</span> <span class="na">stages</span><span class="p">:</span> <span class="p">[</span> <span class="p">{</span> <span class="na">duration</span><span class="p">:</span> <span class="dl">'</span><span class="s1">2m</span><span class="dl">'</span><span class="p">,</span> <span class="na">target</span><span class="p">:</span> <span class="mi">100</span> <span class="p">},</span> <span class="c1">// Ramp up</span> <span class="p">{</span> <span class="na">duration</span><span class="p">:</span> <span class="dl">'</span><span class="s1">5m</span><span class="dl">'</span><span class="p">,</span> <span class="na">target</span><span class="p">:</span> <span class="mi">100</span> <span class="p">},</span> <span class="c1">// Constant load</span> <span class="p">{</span> <span class="na">duration</span><span class="p">:</span> <span class="dl">'</span><span class="s1">2m</span><span class="dl">'</span><span class="p">,</span> <span class="na">target</span><span class="p">:</span> <span class="mi">0</span> <span class="p">},</span> <span class="c1">// Ramp down</span> <span class="p">],</span> <span class="p">};</span> <span class="k">export</span> <span class="k">default</span> <span class="nf">function </span><span class="p">()</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">token</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...</span><span class="dl">'</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">response</span> <span class="o">=</span> <span class="nx">http</span><span class="p">.</span><span class="nf">post</span><span class="p">(</span> <span class="dl">'</span><span class="s1">http://localhost:3000/graphql</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">query</span><span class="p">:</span> <span class="s2">`mutation QueryPixKey($pixKey: String!, $value: Float!) { queryPixKey(pixKey: $pixKey, value: $value) { success pixKey value accountHolder } }`</span><span class="p">,</span> <span class="na">variables</span><span class="p">:</span> <span class="p">{</span> <span class="na">pixKey</span><span class="p">:</span> <span class="dl">'</span><span class="s1">test@example.com</span><span class="dl">'</span><span class="p">,</span> <span class="na">value</span><span class="p">:</span> <span class="mf">100.5</span> <span class="p">},</span> <span class="p">},</span> <span class="p">{</span> <span class="na">headers</span><span class="p">:</span> <span class="p">{</span> <span class="dl">'</span><span class="s1">Content-Type</span><span class="dl">'</span><span class="p">:</span> <span class="dl">'</span><span class="s1">application/json</span><span class="dl">'</span><span class="p">,</span> <span class="na">Authorization</span><span class="p">:</span> <span class="s2">`Bearer </span><span class="p">${</span><span class="nx">token</span><span class="p">}</span><span class="s2">`</span><span class="p">,</span> <span class="p">},</span> <span class="p">}</span> <span class="p">);</span> <span class="nf">check</span><span class="p">(</span><span class="nx">response</span><span class="p">,</span> <span class="p">{</span> <span class="dl">'</span><span class="s1">status is 200</span><span class="dl">'</span><span class="p">:</span> <span class="nx">r</span> <span class="o">=&gt;</span> <span class="nx">r</span><span class="p">.</span><span class="nx">status</span> <span class="o">===</span> <span class="mi">200</span><span class="p">,</span> <span class="dl">'</span><span class="s1">rate limited when needed</span><span class="dl">'</span><span class="p">:</span> <span class="nx">r</span> <span class="o">=&gt;</span> <span class="nx">r</span><span class="p">.</span><span class="nx">status</span> <span class="o">===</span> <span class="mi">429</span> <span class="o">||</span> <span class="nx">r</span><span class="p">.</span><span class="nx">status</span> <span class="o">===</span> <span class="mi">200</span><span class="p">,</span> <span class="p">});</span> <span class="nf">sleep</span><span class="p">(</span><span class="mi">1</span><span class="p">);</span> <span class="p">}</span> </code></pre> </div> <h2> 📚 Complete Documentation </h2> <h3> Postman Collection </h3> <p>I created a complete collection with all endpoints:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"info"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Leaky Bucket API"</span><span class="p">,</span><span class="w"> </span><span class="nl">"description"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Complete API with authentication and rate limiting"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"item"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Auth"</span><span class="p">,</span><span class="w"> </span><span class="nl">"item"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Register"</span><span class="p">,</span><span class="w"> </span><span class="nl">"request"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"method"</span><span class="p">:</span><span class="w"> </span><span class="s2">"POST"</span><span class="p">,</span><span class="w"> </span><span class="nl">"url"</span><span class="p">:</span><span class="w"> </span><span class="s2">"http://localhost:3000/graphql"</span><span class="p">,</span><span class="w"> </span><span class="nl">"body"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"mode"</span><span class="p">:</span><span class="w"> </span><span class="s2">"raw"</span><span class="p">,</span><span class="w"> </span><span class="nl">"raw"</span><span class="p">:</span><span class="w"> </span><span class="s2">"{</span><span class="se">\"</span><span class="s2">query</span><span class="se">\"</span><span class="s2">:</span><span class="se">\"</span><span class="s2">mutation Register($email: String!, $password: String!, $name: String!) { register(email: $email, password: $password, name: $name) { success token user { id email name } } }</span><span class="se">\"</span><span class="s2">,</span><span class="se">\"</span><span class="s2">variables</span><span class="se">\"</span><span class="s2">:{</span><span class="se">\"</span><span class="s2">email</span><span class="se">\"</span><span class="s2">:</span><span class="se">\"</span><span class="s2">test@example.com</span><span class="se">\"</span><span class="s2">,</span><span class="se">\"</span><span class="s2">password</span><span class="se">\"</span><span class="s2">:</span><span class="se">\"</span><span class="s2">password123</span><span class="se">\"</span><span class="s2">,</span><span class="se">\"</span><span class="s2">name</span><span class="se">\"</span><span class="s2">:</span><span class="se">\"</span><span class="s2">Test User</span><span class="se">\"</span><span class="s2">}}"</span><span class="p">,</span><span class="w"> </span><span class="nl">"options"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"raw"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"language"</span><span class="p">:</span><span class="w"> </span><span class="s2">"json"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <h3> Detailed README </h3> <p>I documented the entire project with:</p> <ul> <li>📖 Installation and configuration guide</li> <li>🏗️ Architecture and data flow</li> <li>🔧 Environment configuration</li> <li>🧪 How to run tests</li> <li>📊 Metrics and monitoring</li> <li>🔒 Security considerations</li> </ul> <h2> 🚀 Deployment and Configuration </h2> <h3> Automation Scripts </h3> <p>I created scripts to facilitate development:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c">#!/bin/bash</span> <span class="c"># scripts/setup-env.sh</span> <span class="nb">echo</span> <span class="s2">"🚀 Setting up Leaky Bucket environment..."</span> <span class="c"># Create .env file if it doesn't exist</span> <span class="k">if</span> <span class="o">[</span> <span class="o">!</span> <span class="nt">-f</span> .env <span class="o">]</span><span class="p">;</span> <span class="k">then </span><span class="nb">cat</span> <span class="o">&gt;</span> .env <span class="o">&lt;&lt;</span> <span class="no">EOF</span><span class="sh"> # Server Configuration PORT=3000 NODE_ENV=development # JWT JWT_SECRET=your-super-secret-jwt-key-change-in-production JWT_EXPIRES_IN=24h # Leaky Bucket INITIAL_TOKENS=10 MAX_TOKENS=10 LEAK_RATE=1 REFILL_INTERVAL=1000 # Logging LOG_LEVEL=info # Tests TEST_USER_EMAIL=test@example.com TEST_USER_PASSWORD=password123 TEST_USER_NAME=Test User </span><span class="no">EOF </span> <span class="nb">echo</span> <span class="s2">"✅ .env file created successfully!"</span> <span class="k">else </span><span class="nb">echo</span> <span class="s2">"ℹ️ .env file already exists"</span> <span class="k">fi </span><span class="nb">echo</span> <span class="s2">"🎉 Environment configured! Run 'npm run dev' to start the server"</span> </code></pre> </div> <h2> 📊 Results and Metrics </h2> <h3> Test Performance </h3> <ul> <li> <strong>68 Jest tests</strong>: ✅ All passing</li> <li> <strong>Load tests</strong>: ✅ Rate limiting working</li> <li> <strong>Response time</strong>: &lt; 100ms for normal requests</li> <li> <strong>Throughput</strong>: 1000+ req/s with active rate limiting</li> </ul> <h3> Feature Coverage </h3> <ul> <li>✅ <strong>100%</strong> of mandatory requirements implemented</li> <li>✅ <strong>93%</strong> of bonus requirements implemented</li> <li>✅ <strong>100%</strong> of tests passing</li> <li>✅ <strong>100%</strong> of documentation complete</li> </ul> <h2> 🔍 Challenges and Solutions </h2> <h3> 1. Token Synchronization </h3> <p><strong>Challenge</strong>: Ensuring tokens are consumed atomically in multi-thread environment.</p> <p><strong>Solution</strong>: Implemented a user-based locking system using Map and atomic operations.</p> <h3> 2. Environment Configuration </h3> <p><strong>Challenge</strong>: Maintaining consistent configurations between development and production.</p> <p><strong>Solution</strong>: Created environment variable system with validation and default values.</p> <h3> 3. Load Testing </h3> <p><strong>Challenge</strong>: Simulating realistic load and validating rate limiting.</p> <p><strong>Solution</strong>: Implemented k6 tests with different scenarios (spike, stress, load).</p> <h2> 🎯 Lessons Learned </h2> <ol> <li> <strong>Modular Architecture</strong>: Clear separation of responsibilities facilitated testing and maintenance</li> <li> <strong>Comprehensive Testing</strong>: Unit + integration + load tests are essential</li> <li> <strong>Documentation</strong>: Documenting from the beginning saves time in the future</li> <li> <strong>Configuration</strong>: Automating environment setup improves DX</li> <li> <strong>Rate Limiting</strong>: Leaky Bucket is more efficient than Token Bucket for specific use cases</li> </ol> <h2> 🔮 Next Steps </h2> <p>To evolve the system, I would consider:</p> <ul> <li>🔄 Implement Redis for token persistence</li> <li>📈 Add metrics with Prometheus</li> <li>🔐 Implement refresh tokens</li> <li>🌐 Add IP-based rate limiting</li> <li>📱 Create React + Relay frontend</li> </ul> <h2> 📝 Conclusion </h2> <p>This project demonstrated the importance of well-thought architecture, comprehensive testing, and complete documentation. The resulting system is robust, scalable, and production-ready.</p> <p>The Leaky Bucket strategy proved effective for rate limiting, and GraphQL integration provided a flexible and well-documented API.</p> <p><strong>Complete code</strong>: <a href="https://github.com/WesleyIsr4/leaky-bucket" rel="noopener noreferrer">GitHub Repository</a></p> <p><em>Liked the article? Leave a ❤️ and share with other developers!</em></p> node typescript graphql k6