User Management API
Relevant source files - controllers/user.controller.js - middlewares/auth.middleware.js - routes/user.routes.js
The User Management API provides a set of RESTful endpoints to manage user profiles within the Subscription Tracker system. It handles standard CRUD (Create, Read, Update, Delete) operations, ensuring data integrity through Mongoose models and security via JWT-based authorization.
API Overview
The user routes are defined in userRouter and prefixed under the /api/v1/users namespace routes/user.routes.js11-141 Access to most endpoints is restricted by the authorize middleware, which validates the request's Bearer token middlewares/auth.middleware.js5-35
Request Pipeline Flow
The following diagram illustrates how a request moves from the route definition to the controller logic, passing through security guards.
User Request Flow Architecture
[Flowchart Diagram]
Sources: routes/user.routes.js27-139controllers/user.controller.js1-89middlewares/auth.middleware.js5-35
Endpoint Specifications
1. Get All Users
- Endpoint:
GET /api/v1/users - Auth Required: Yes (
authorize) routes/user.routes.js27 - Implementation: Calls
User.find()to retrieve every document in the collection controllers/user.controller.js5 - Response: Returns a JSON object with
success: trueand an array of user objects controllers/user.controller.js6-9
2. Get User by ID
- Endpoint:
GET /api/v1/users/:id - Auth Required: Yes (
authorize) routes/user.routes.js52 - Security: Explicitly excludes the password field using
.select("-password")controllers/user.controller.js17 - Error Handling: If the ID does not exist, it throws a 404 error with the message "User not found" controllers/user.controller.js19-23
3. Create User
- Endpoint:
POST /api/v1/users - Auth Required: No routes/user.routes.js81
- Implementation: Instantiates a new
Usermodel withname,email, andpasswordfromreq.bodyand calls.save()controllers/user.controller.js36-38 - Response: Returns 201 Created on success controllers/user.controller.js39
4. Update User
- Endpoint:
PUT /api/v1/users/:id - Auth Required: Yes (
authorize) routes/user.routes.js115 -
Logic:
-
Dynamically builds an
updateFieldsobject to avoid overwriting fields withundefinedcontrollers/user.controller.js51-54 - Uses
findByIdAndUpdatewith{ new: true, runValidators: true }to return the modified document and enforce schema validation controllers/user.controller.js55-58 - Security: Excludes password from the returned document controllers/user.controller.js59
5. Delete User
- Endpoint:
DELETE /api/v1/users/:id - Auth Required: Yes (
authorize) routes/user.routes.js139 - Implementation: Executes
findByIdAndDeletecontrollers/user.controller.js76 - Error Handling: Throws a 404 error if the user record is not found controllers/user.controller.js77-81
Sources: routes/user.routes.js1-141controllers/user.controller.js1-90
Security and Data Privacy
Password Exclusion
The API enforces strict data privacy by ensuring password hashes are never leaked in read or update operations. This is handled via the Mongoose .select("-password") projection.
Data Sanitization Map
[Flowchart Diagram]
Sources: controllers/user.controller.js17controllers/user.controller.js59
Authorization Guard
The authorize middleware acts as a gatekeeper for the User API. It performs the following steps:
- Extracts the Bearer token from the
Authorizationheader middlewares/auth.middleware.js9-10 - Verifies the token using
jwt.verifyand theJWT_SECRETmiddlewares/auth.middleware.js17 - Fetches the user from the database to ensure the account still exists middlewares/auth.middleware.js19
- Attaches the user object to
req.userfor downstream use in controllers middlewares/auth.middleware.js26
Sources: middlewares/auth.middleware.js5-35
Error Handling
The User Management API utilizes a centralized error handling pattern. Controllers are wrapped in try-catch blocks that pass exceptions to the next() function controllers/user.controller.js11-87
| Condition | Status Code | Error Message | Source |
|---|---|---|---|
| Missing/Invalid Token | 401 | "Unauthorized" | authorize middleware |
| User Not Found | 404 | "User not found" | getUser, updateUser, deleteUser |
| Validation Failure | 400 (via Global Handler) | Varies (e.g., "Invalid email") | Mongoose Schema |
Sources: controllers/user.controller.js20-22middlewares/auth.middleware.js12-15middlewares/auth.middleware.js21-24