Security Layer
Relevant source files - config/arcjet.js - controllers/user.controller.js - middlewares/arcjet.middleware.js - middlewares/auth.middleware.js
The Subscription Tracker API employs a multi-layered security strategy to protect against common web vulnerabilities, automated bot traffic, and unauthorized data access. The system is divided into two primary concerns: Request-Level Protection (via Arcjet) and Identity-Level Authentication (via JWT).
Architecture Overview
The security stack operates as a series of Express middlewares. Every incoming request must first pass through the Arcjet security shield before reaching the authentication layer. This ensures that malicious traffic or rate-limited clients are rejected before the application spends resources verifying cryptographic tokens or querying the database.
Security Pipeline Flow
[Flowchart Diagram]
Sources:middlewares/arcjet.middleware.js3-36middlewares/auth.middleware.js5-35
Request-Level Protection (Arcjet)
The system uses Arcjet to provide a Web Application Firewall (WAF) and bot detection capabilities. This layer is configured in config/arcjet.js and enforced via middlewares/arcjet.middleware.js.
The Arcjet integration provides three critical protections:
- Shield (WAF): Detects and blocks common attacks like SQL injection and Cross-Site Scripting (XSS) config/arcjet.js9
- Bot Detection: Identifies automated traffic while allowing verified search engines config/arcjet.js10-13
- Rate Limiting: Implements a token-bucket algorithm with a capacity of 10 tokens and a refill rate of 5 tokens every 10 seconds config/arcjet.js14-19
The middleware is designed to be "fail-open," meaning if the Arcjet service itself encounters an error, the request is allowed to proceed to avoid service disruption middlewares/arcjet.middleware.js32-35
For detailed configuration on exclusion logic and IP extraction, see Arcjet Security Middleware.
Sources:config/arcjet.js4-21middlewares/arcjet.middleware.js12-35
Identity-Level Authentication (JWT)
Once a request is deemed safe by the infrastructure layer, the authorize middleware in middlewares/auth.middleware.js verifies the identity of the requester.
This layer handles:
- Token Extraction: Retrieving the
Bearertoken from theAuthorizationheader middlewares/auth.middleware.js9-10 - Verification: Validating the token against the
JWT_SECRETmiddlewares/auth.middleware.js17 - Context Population: Fetching the user from MongoDB (excluding the password field) and attaching it to
req.userfor use in downstream controllers middlewares/auth.middleware.js19-26
If the token is missing, expired, or the associated user no longer exists, the middleware terminates the request with a 401 Unauthorized status middlewares/auth.middleware.js12-15
For details on token verification and user lookup, see JWT Authentication Middleware.
Sources:middlewares/auth.middleware.js5-35controllers/user.controller.js17
Security Entity Mapping
The following diagram bridges the conceptual security layers to the specific functions and files implemented in the codebase.
[Flowchart Diagram]
Sources:config/arcjet.js4-21middlewares/arcjet.middleware.js13-20middlewares/auth.middleware.js17-19controllers/user.controller.js1-2