A high-performance URL shortener service with comprehensive user authentication and role-based access control.
- User Registration & Login - Email/password authentication
- JWT-based Authentication - Secure access and refresh tokens
- Password Reset - Secure password reset flow
- Role-based Access Control - Guest vs Registered user permissions
- Google OAuth - Ready for Google Sign-In integration
- Guest Users:
- Can create short URLs with 7-day expiry limit
- Limited to 10 URLs per day
- No custom aliases or analytics access
- Registered Users:
- Unlimited URL creation with custom expiry (up to 1 year)
- Custom aliases support
- Full analytics access
- URL duplication handling
- Up to 100 URLs per day
- Real-time click tracking
- Geographic analytics
- Device and browser analytics
- Performance monitoring with OpenTelemetry
- Comprehensive logging
- Node.js with TypeScript
- Express.js - Web framework
- PostgreSQL - Primary database
- Redis - Caching and session storage
- JWT - Authentication tokens
- bcrypt - Password hashing
- Joi - Input validation
- Winston - Logging
- Kafka - Analytics event streaming (optional)
- React 19 with TypeScript
- Redux Toolkit - State management
- React Router - Navigation
- Tailwind CSS - Styling
- Vite - Build tool
- Node.js 18+
- PostgreSQL 12+
- Redis 6+
- npm or yarn
-
Clone and install dependencies
git clone <repository-url> cd url-shortener npm install
-
Environment Configuration
cp .env.example .env # Edit .env with your database and Redis credentials -
Database Setup
# Create database createdb url_shortener # Run migrations npm run db:migrate
-
Start the backend
npm run dev
Backend will be available at
http://localhost:3000
-
Install frontend dependencies
cd frontend npm install -
Environment Configuration
cd frontend cp .env.example .env # Edit .env to set the backend URL if different from default
-
Start the frontend
npm run dev
Frontend will be available at
http://localhost:5173
POST /api/v1/auth/register- User registrationPOST /api/v1/auth/login- User loginPOST /api/v1/auth/logout- User logoutPOST /api/v1/auth/refresh-token- Refresh access tokenPOST /api/v1/auth/request-password-reset- Request password resetPOST /api/v1/auth/confirm-password-reset- Confirm password resetGET /api/v1/auth/profile- Get user profilePUT /api/v1/auth/profile- Update user profilePOST /api/v1/auth/change-password- Change passwordGET /api/v1/auth/permissions- Get user permissions
POST /api/v1/url/shorten- Create short URL (guest/authenticated)DELETE /api/v1/url/:shortCode- Delete URL (authenticated only)GET /api/v1/url/resolve/:shortCode- Resolve URL details
GET /api/v1/analytics/:shortCode- Get URL analytics (authenticated only)GET /api/v1/analytics/:shortCode/realtime- Real-time analyticsGET /api/v1/analytics/global/summary- Global analytics summary
GET /:shortCode- Redirect to original URL
- ✅ Create short URLs (7-day expiry max)
- ✅ Access shortened URLs
- ❌ Custom aliases
- ❌ Analytics access
- ❌ Custom expiry dates
- ❌ URL management
- Limits: 10 URLs per day, 7-day max expiry
- ✅ All guest features
- ✅ Custom aliases
- ✅ Full analytics access
- ✅ Custom expiry dates (up to 1 year)
- ✅ URL management (edit, delete)
- ✅ Duplicate URL handling
- Limits: 100 URLs per day, 365-day max expiry
users- User accounts and authenticationurl_mappings- URL mappings and metadataanalytics_events- Click tracking events (partitioned)analytics_aggregates- Pre-computed analyticsrefresh_tokens- JWT refresh tokenspassword_reset_tokens- Password reset tokensemail_verification_tokens- Email verification tokens
- Password Security: bcrypt hashing with configurable rounds
- JWT Security: Separate access and refresh tokens
- Rate Limiting: Per-user and global rate limits
- Input Validation: Comprehensive request validation
- SQL Injection Protection: Parameterized queries
- CORS Configuration: Configurable cross-origin policies
- Helmet.js: Security headers
- Environment Validation: Strict environment variable validation
Backend:
npm run dev- Start development servernpm run build- Build for productionnpm run start- Start production servernpm run test- Run testsnpm run db:migrate- Run database migrationsnpm run db:status- Check migration status
Frontend:
npm run dev- Start development servernpm run build- Build for productionnpm run preview- Preview production buildnpm run test- Run testsnpm run lint- Run linting
Backend (see .env.example for complete list):
# Database
DB_HOST=localhost
DB_PORT=5432
DB_NAME=url_shortener
DB_USER=postgres
DB_PASSWORD=your_password
# Security
JWT_SECRET=your-jwt-secret-32-chars-min
JWT_REFRESH_SECRET=your-refresh-secret-32-chars-min
# Redis
REDIS_HOST=localhost
REDIS_PORT=6379Frontend (see frontend/.env.example):
# Backend API URL
VITE_BASE_URL=http://localhost:3000-
Environment Setup
- Use strong, unique secrets for JWT tokens
- Configure proper CORS origins
- Set up SSL/TLS certificates
- Configure rate limiting appropriately
-
Database
- Use connection pooling
- Set up read replicas for analytics
- Configure automated backups
- Monitor performance
-
Caching
- Configure Redis clustering for high availability
- Set appropriate cache TTLs
- Monitor cache hit rates
-
Monitoring
- Set up application monitoring (Jaeger/Zipkin)
- Configure log aggregation
- Set up health checks
- Monitor key metrics
- Fork the repository
- Create a feature branch
- Make your changes
- Add tests for new functionality
- Ensure all tests pass
- Submit a pull request
MIT License - see LICENSE file for details