A secure and scalable backend API for a digital wallet application built with Node.js, Express, and MongoDB. This project implements user authentication, account management, and money transfer functionality similar to Paytm.
- User Authentication: Secure signup and login with JWT tokens
- Password Security: Bcrypt hashing for password protection
- Account Management: User profile management and balance tracking
- Money Transfers: Secure peer-to-peer money transfers with database transactions
- User Search: Search users by name for easy transfers
- Input Validation: Comprehensive request validation using Zod
- Transaction Safety: MongoDB transactions ensure data consistency
- Runtime: Node.js
- Framework: Express.js
- Database: MongoDB with Mongoose ODM
- Authentication: JWT (JSON Web Tokens)
- Password Hashing: Bcrypt
- Validation: Zod
- CORS: Enabled for cross-origin requests
WalletCore-backend/
βββ routes/
β βββ app.js # Main router
β βββ users.js # User-related routes
β βββ accounts.js # Account and transfer routes
βββ middleware.js # Authentication middleware
βββ userModel.js # Database models and connection
βββ config.js # Configuration settings
βββ app.js # Main server file
- Node.js (v14 or higher)
- MongoDB Atlas account or local MongoDB installation
- npm or yarn package manager
-
Clone the repository
git clone <your-repo-url> cd WalletCore-backend
-
Install dependencies
npm install express mongoose bcrypt jsonwebtoken zod cors body-parser
-
Configure environment
- Update
config.jswith your JWT secret - Update
userModel.jswith your MongoDB connection string
- Update
-
Start the server
node index.js
The server will start on port 3006 by default.
Update the MongoDB connection string in userModel.js:
mongoose.connect("your-mongodb-connection-string");Update the JWT secret in config.js:
module.exports = {
JWT_SECRET: "your-super-secret-key-here"
};http://localhost:3006/api/v1
Most endpoints require a Bearer token in the Authorization header:
Authorization: Bearer <your-jwt-token>
Create a new user account.
Request Body:
{
"userName": "john_doe",
"email": "john@example.com",
"firstName": "John",
"lastName": "Doe",
"password": "securepassword123"
}Response:
{
"message": "User Created",
"token": "jwt-token-here"
}Authenticate an existing user.
Request Body:
{
"userName": "john_doe",
"password": "securepassword123"
}Response:
{
"message": "Login successful",
"token": "jwt-token-here",
"user": {
"userName": "john_doe",
"email": "john@example.com",
"firstName": "John",
"lastName": "Doe"
}
}Update user information (requires authentication).
Request Body:
{
"firstName": "Jane",
"lastName": "Smith",
"email": "jane@example.com"
}Search users by name.
Query Parameters:
filter(optional): Search term for first name or last name
Response:
{
"user": [
{
"userName": "john_doe",
"firstName": "John",
"lastName": "Doe",
"_id": "user-id-here"
}
]
}Get current user's account balance (requires authentication).
Response:
{
"balance": 50000.75
}Transfer money to another user (requires authentication).
Request Body:
{
"to": "recipient-user-id",
"amount": 1000
}Response:
{
"message": "Transfer successful"
}- Passwords are hashed using bcrypt with salt rounds of 10
- Plain text passwords are never stored in the database
- Secure token-based authentication
- Tokens include user ID for session management
- Protected routes verify token validity
- Money transfers use MongoDB transactions
- Ensures atomicity - either both debit and credit succeed, or both fail
- Prevents race conditions and data inconsistency
- All requests validated using Zod schemas
- Type checking and format validation
- Sanitized error messages
{
userName: String (required, unique),
email: String (unique),
firstName: String (required, max 30 chars),
lastName: String (required, max 30 chars),
password: String (required, hashed)
}{
userId: ObjectId (reference to User, required),
balance: Number (default: 0, required)
}The API returns appropriate HTTP status codes:
- 200: Success
- 201: Created
- 400: Bad Request (validation errors, insufficient balance)
- 403: Forbidden (authentication failed)
- 500: Internal Server Error
You can test the API using tools like Postman, curl, or any HTTP client:
- Signup:
POST /api/v1/users/signup - Login:
POST /api/v1/users/login - Check Balance:
GET /api/v1/accounts/balance - Search Users:
GET /api/v1/users/bulk?filter=john - Transfer Money:
POST /api/v1/accounts/transfer
When a new user signs up:
- A user account is created with hashed password
- An associated account is automatically created
- Initial balance is randomly set between 1 and 1,000,000 (for demo purposes)
For production deployment:
- Environment Variables: Use environment variables for sensitive data
- Database: Ensure MongoDB Atlas is properly configured
- HTTPS: Use HTTPS in production
- Rate Limiting: Implement rate limiting for API endpoints
- Logging: Add comprehensive logging for monitoring
- Fork the repository
- Create a feature branch
- Make your changes
- Add tests if applicable
- Submit a pull request
This project is for educational purposes. Please ensure you comply with all applicable laws and regulations if using in production.
MongoDB Connection Error
- Verify your connection string
- Check network access in MongoDB Atlas
- Ensure your IP is whitelisted
JWT Token Issues
- Verify the JWT_SECRET is consistent
- Check token format in Authorization header
- Ensure token hasn't expired
Transaction Failures
- Check MongoDB replica set configuration
- Verify sufficient account balance
- Ensure recipient account exists
For issues and questions:
- Check the troubleshooting section
- Review the API documentation
- Create an issue in the repository
Note: This is a demo application. For production use, implement additional security measures, error handling, and testing.