A production-ready RESTful Task Manager API built with Node.js, Express, MongoDB, JWT authentication, and role-based authorization.
This API demonstrates clean backend architecture, secure authentication, and real-world access control patterns suitable for scalable applications.
This project showcases:
- Secure authentication & authorization
- Proper backend folder structure
- Middleware-driven access control
- Clean separation of concerns
- Real-world API behavior (users only see their own data)
Designed with maintainability, security, and scalability in mind.
- User Authentication: JWT-based login and registration
- Role-based Authorization: Admin vs regular users
- User Management: Create, read, update, delete users
- Task Management: CRUD operations with ownership rules
- Profile Management: Users can update their own profile
- Password Security: Passwords hashed using bcrypt
- Input Validation: Using express-validator for request validation
- Error Handling: Centralized error middleware
- Node.js
- Express.js
- MongoDB & Mongoose ODM
- bcryptjs for password hashing
- jsonwebtoken (JWT) for authentication
- express-validator for input validation
- Cors for handling cross-origin requests
- Postman (API testing)
git clone https://github.com/scviola/task-manager-backend.git
cd task-manager-backendnpm install
# or
pnpm installCreate a .env:
PORT=5000
MONGO_URI=<your_mongodb_connection_string>
JWT_SECRET=<your_jwt_secret>npm run dev # development (nodemon)
npm start # productionThe API will be running at:
http://localhost:5000
The Task Manager API is deployed and running on Render.
- All API endpoints can be accessed using this base URL:
https://task-manager-api-rghv.onrender.com
Protected routes require a JWT token.
Authorization: Bearer <JWT_TOKEN>All endpoints were tested using Postman
| Method | Endpoint | Description |
|---|---|---|
| POST | /api/auth/register |
Register a new user |
| POST | /api/auth/login |
Login user and receive JWT |
| GET | /api/auth/me |
Get logged-in user profile |
| PUT | /api/auth/me |
Update own profile |
| PUT | /api/auth/me/password |
Update own password |
| Method | Endpoint | Description |
|---|---|---|
| GET | /api/users |
Get all users |
| GET | /api/users/:id |
Get user by ID |
| POST | /api/users |
Create user |
| PUT | /api/users/:id |
Update user |
| DELETE | /api/users/:id |
Delete user |
| Method | Endpoint | Access | Description |
|---|---|---|---|
| GET | /api/tasks |
User/Admin | User gets own tasks, Admin gets all |
| GET | /api/tasks/:id |
User/Admin | Get single task |
| POST | /api/tasks |
Admin | Create task |
| PUT | /api/tasks/:id |
User/Admin | User updates own task, Admin updates any |
| DELETE | /api/tasks/:id |
Admin | Delete task |
All endpoints were tested using Postman, including:
- Auth flows (register/login/me)
- Role-based access checks
- Token validation
- Authorization errors
- Admin vs user permissions
MIT