Add JWT-based Authentication with Secure Password Hashing

[codewkaushik404]

User Authentication and Authorization

This PR implements user authentication and authorization functionality for the backend, including:

Features Implemented

• User Signup: POST /api/auth/signup
• User Login: POST /api/auth/login
• Password Hashing: Uses bcrypt to securely store user passwords in the database
• JWT Tokens: Implements JSON Web Tokens for secure session management during login

This implementation allows users to register, log in, and receive JWT tokens for session-based authentication.

---

Closes #24

---

Type of Change

• New feature

---

Checklist

• My code follows the style guidelines of this project
• I have performed a self-review of my code
• I have commented my code where necessary
• I have updated documentation (README, Usage, etc.)
• My changes generate no new warnings or errors
• I have added tests (if applicable)
• All tests pass locally with my changes

[Alexandrbig1]

@codewkaushik404, thanks — we don't need express-async-handler. We're on Express 5 which forwards rejected async handlers to the error middleware natively.

• Please remove the dependency and any wrapper usage, and ensure the centralized error handler stays in place.
• Please remove package.json and package-lock.json files.
• Fix token generation: await User.findOne(...) or accept the user object; sign minimal claims (id/email) and do not call next from a utility. Example: generateToken(user).
• Do not return password (even hashed) in responses — omit user.password before sending.
• Unify auth failure messages (use 401 "Invalid email or password") to prevent user enumeration.
• Fix import path casing: controllers file lives in src/controllers (lowercase).
• Use a configurable bcrypt cost (>=12 for production) and validate/normalize inputs (email toLowerCase, password length).
• Add rate limiting on login/signup to mitigate brute-force attacks.
• Ensure proper HTTP status codes (201 for signup, 400 for validation errors, 401 for auth).
• Verify process.env.JWT_SECRET_KEY exists & is strong; consider refresh-token flow and token revocation for real deployments.

Please update the PR with these changes and ping for re-review.

[Alexandrbig1]

Hi @codewkaushik404, any updates?

[codewkaushik404]

NOTED. Will modify code accordingly and revert back to you

…

On Fri, 17 Oct, 2025, 8:18 am Alex Smagin, ***@***.***> wrote: *Alexandrbig1* left a comment (OpenCodeChicago/hacktoberfest-2025-backend#44) <#44 (comment)> Hi @codewkaushik404 <https://github.com/codewkaushik404>, any updates? — Reply to this email directly, view it on GitHub <#44 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/BR3AQTONP3W7LK4ZSH3FFVT3YBKIPAVCNFSM6AAAAACI6LNO6GVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZTIMJTGU3DSNJVHE> . You are receiving this because you were mentioned.Message ID: ***@***.*** com>

[Alexandrbig1]

@codewkaushik404, please read once once more my comment, there still package.json, and package-lock.json files, as well as express-async-handler implementation that we do not need.

[codewkaushik404]

I know.
Thats why i havent raised a PR yet. I am working on it.
Give me some more time and i will revert back with the implementation,the way u wanted it.

[Alexandrbig1]

@codewkaushik404, ok, but this one is very important to connect authentication with our frontend.