A e-commerce backend API with Stripe payment integration, RBAC authentication, product management, cart feature implemented and order management.
API Documentation (Swagger UI): https://www.habib.iam.bd
- Authentication: JWT & Cookie based auth with Role-Based Access Control (User/Admin).
- Email Verification: Email verification to prevent spam.
- Password Reset: Password reset with email verification.
- Rate Limiting: Rate limiting to prevent brute-force attacks.
- Products: CRUD operations (Admin only for CUD), browsing for users.
- Cart: Persistent shopping cart stored in database.
- Orders: Order creation, status tracking, and history.
- Payments:
- Stripe Payment Intents.
- Webhook handling for asynchronous payment confirmation.
- Secure customer integration.
- Email Service:
- Free Brevo email API (Render blocks SMTP).
- Email verification for new users.
- Password reset emails.
- Works perfectly on Render.
- Security: Helmet, CORS, Data Sanitization.
-
Install Dependencies
npm install
-
Environment Variables Rename
.env.exampleto.envand fill in your details:PORT=5000 MONGO_URI=mongodb+srv://<username>:<password>@cluster0.mongodb.net/ecommerce?retryWrites=true&w=majority # OR for local: mongodb://localhost:27017/ecommerce JWT_SECRET=your_jwt_secret_key_here JWT_EXPIRE=30d JWT_EXPIRE_DAYS=30 STRIPE_SECRET_KEY=sk_test_... STRIPE_WEBHOOK_SECRET=whsec_... NODE_ENV=development BREVO_API_KEY=xkeysib_YOUR_API_KEY_HERE FROM_NAME=Your App Name FROM_EMAIL=your-verified-email@gmail.com
Note: To get the
STRIPE_WEBHOOK_SECRET, you need to set up a webhook endpoint in Stripe Dashboard pointing toyour-domain/api/payments/webhookor use the Stripe CLI for local testing.Email Service (Brevo):
- Sign up at https://www.brevo.com (completely free, no credit card needed)
- Get your API Key v3 from: Settings → API keys & MCP
- Verify your sender email in Brevo: Senders → Add a Sender
- Use that email as
FROM_EMAILin.env - Free plan includes 300 emails/day (perfect for personal projects)
-
Run Server
# Development npm run dev # Production npm start
POST /api/v2/auth/register- Register a new userGET /api/v2/auth/verifyemail/:token- Verify emailPOST /api/v2/auth/login- LoginGET /api/v2/auth/me- Get current user profileGET /api/v2/auth/logout- Logout user (Clear cookie)POST /api/v2/auth/forgotpassword- Forgot passwordGET /api/v2/auth/resetpassword/:token- Reset passwordPUT /api/v2/auth/resetpassword/:token- Reset password with new password
GET /api/products- Get all productsGET /api/products/:id- Get single productPOST /api/products- Create product (Admin)PATCH /api/products/:id- Update product (Admin)DELETE /api/products/:id- Delete product (Admin)
GET /api/cart- Get user cartPOST /api/cart- Add item to cartPATCH /api/cart/:itemId- Update quantity of existing cart itemsDELETE /api/cart/:itemId- Remove item from cart
POST /api/orders- Create order from cartGET /api/orders- Get user ordersGET /api/orders/:id- Get order detailsGET /api/orders/all- Get all orders (Admin)GET /api/orders/user/:userId- Get orders by user (Admin)PATCH /api/orders/:id/status- Update order status (Admin)
POST /api/payments/create-payment-intent- Create Stripe Payment Intent for an orderPOST /api/payments/setup-intent- Create Stripe Setup Intent
- Install Stripe CLI.
- Login:
stripe login - Listen:
stripe listen --forward-to localhost:5000/api/payments/webhook - Copy the Webhook Signing Secret (
whsec_...) printed in the terminal to your.envfile.
If you see MongooseError: Operation buffering timed out or connection failures:
- Check IP Whitelist: If using MongoDB Atlas, ensure your current IP address is whitelisted in the "Network Access" tab.
- Check Connection String: Ensure your
MONGO_URIis correct and includes the password. - Firewall/Network: Some corporate networks or ISPs block port 27017. Try using a VPN or mobile hotspot if the connection fails despite whitelisting.