A robust and scalable social media platform backend built with Next.js 16, TypeScript, and MongoDB. This API powers a Twitter-like social media application with features including user authentication, tweet management, likes, image uploads, and real-time email verification.
- JWT-based Authentication with access and refresh tokens
- Email Verification using OTP (One-Time Password)
- Rate Limiting with Upstash Redis (20 requests/minute)
- Password Hashing with bcrypt
- HTTP-only Cookies for secure token storage
- CORS Protection with configurable origins
- User registration with email verification
- Secure login/logout
- Profile management with avatar uploads
- Username uniqueness validation
- Password change functionality
- Token refresh mechanism
- Create tweets with optional image attachments
- Update existing tweets
- Delete tweets
- View all tweets (home feed)
- View user-specific tweets
- Like/Unlike tweets
- Tweet aggregation with like counts
- Image Upload to Cloudinary
- Image Optimization with URL transformations
- Automatic Image Deletion when tweets are removed
- Support for formdata and multipart uploads
- Framework: Next.js 16 (App Router)
- Language: TypeScript
- Database: MongoDB with Mongoose ODM
- Authentication: JWT (jsonwebtoken)
- File Upload: Formidable
- Image Storage: Cloudinary
- Email Service: Resend
- Rate Limiting: Upstash Redis + Vercel KV
- Password Hashing: bcrypt
- Email Templates: React Email
sociyabackend/
βββ src/
β βββ app/
β β βββ api/
β β βββ v1/
β β βββ users/ # User endpoints
β β β βββ create-account/
β β β βββ login/
β β β βββ logout/
β β β βββ verify-otp/
β β β βββ me/
β β β βββ is-username-unique/
β β β βββ new-access-token/
β β β βββ c/password/
β β β βββ r/otp/
β β β βββ u/avatar/
β β βββ tweet/ # Tweet endpoints
β β β βββ t/
β β β βββ upload/
β β β βββ update/[tweetId]/
β β β βββ delete/[tweetId]/
β β βββ like/ # Like endpoints
β β β βββ tweet/[tweetId]/
β β βββ home/ # Feed endpoints
β β β βββ all-content/
β β β βββ user-content/[username]/
β β βββ healthcheck/ # Health check
β βββ models/
β β βββ user.model.ts # User schema
β β βββ tweet.model.ts # Tweet schema
β β βββ like.model.ts # Like schema
β βββ middlewares/
β β βββ auth.middleware.ts # JWT verification
β β βββ parseImageUpload.middleware.ts
β βββ utils/
β β βββ ApiResponse.ts # Standardized API responses
β β βββ cloudinary.ts # Cloudinary integration
β β βββ dbConnect.ts # MongoDB connection
β β βββ generateAccessAndRefreshToken.ts
β β βββ sendVerificationEmail.ts
β β βββ deleteFromCloudinary.ts
β β βββ getOptimizedUrl.ts # Image optimization
β β βββ resend.ts # Email service
β βββ emails/
β β βββ verificationEmail.tsx # Email template
β βββ middleware.ts # Rate limiting & CORS
βββ public/
β βββ temp/ # Temporary file storage
βββ next.config.ts
βββ tsconfig.json
βββ package.json
GET /api/v1/healthcheck- Check API status
POST /api/v1/users/create-account- Register new userPOST /api/v1/users/login- User loginPOST /api/v1/users/logout- User logout (requires auth)POST /api/v1/users/verify-otp- Verify email with OTPPOST /api/v1/users/r/otp- Resend OTPPOST /api/v1/users/new-access-token- Refresh access token
GET /api/v1/users/me- Get current user profile (requires auth)GET /api/v1/users/is-username-unique- Check username availabilityPATCH /api/v1/users/c/password- Change password (requires auth)PATCH /api/v1/users/u/avatar- Update avatar (requires auth)
POST /api/v1/tweet/t/upload- Create new tweet (requires auth)PATCH /api/v1/tweet/t/update/[tweetId]- Update tweet (requires auth)DELETE /api/v1/tweet/t/delete/[tweetId]- Delete tweet (requires auth)
GET /api/v1/home/all-content- Get all tweetsGET /api/v1/home/user-content/[username]- Get user tweets
POST /api/v1/like/tweet/[tweetId]- Toggle like on tweet (requires auth)
-
Registration:
- User submits credentials
- Password is hashed
- OTP is generated and sent via email
- User account is created (unverified)
-
Email Verification:
- User enters OTP
- OTP is validated (5-minute expiry)
- Account is marked as verified
-
Login:
- User submits credentials
- Password is verified
- Access token (1d) and refresh token (10d) are generated
- Tokens are set as HTTP-only cookies
-
Protected Routes:
- Middleware verifies JWT from cookie or Authorization header
- User information is attached to request
{
username: string(unique);
fullName: string;
email: string(unique);
avatar: string;
avatarId: string;
password: string(hashed);
refreshToken: string;
isVerified: boolean;
otp: string;
otpExpiresAt: Date;
timestamps: true;
}{
content: string
image: string
imageId: string
owner: ObjectId (ref: User)
timestamps: true
}{
likedBy: ObjectId (ref: User)
likedTo: ObjectId (ref: Tweet)
timestamps: true
}The API is configured to accept requests from a specific origin (configurable via CORS_ORIGIN env variable). All API routes support:
- Credentials
- Custom headers
- Standard HTTP methods (GET, POST, PATCH, DELETE, OPTIONS)
Built-in rate limiting using Upstash Redis:
- 20 requests per minute per IP address
- Sliding window algorithm
- Returns 429 status when limit is exceeded
Uses Resend service with custom React email templates:
- OTP generation with 6-digit code
- 5-minute expiration
- Resend OTP functionality
- Professional email templates
Cloudinary integration for efficient image management:
- Automatic upload to
sociya-v1folder - Image optimization with URL transformations
- Automatic deletion when content is removed
- Support for avatar and tweet images
- HTTP-only cookies for token storage
- CORS protection
- Rate limiting
- JWT-based authentication
- Password hashing with bcrypt
- Input validation
- MongoDB injection protection via Mongoose
Contributions are welcome! Please feel free to submit a Pull Request.
This project is private and proprietary.
Built with β€οΈ for the Sociya social media platform
Note: This is a backend API service. Make sure to configure your frontend application to point to the correct API endpoints.