Secure REST API Architecture powering the CityResolved platform.
Built with Node.js, Express, MongoDB, and Firebase Admin SDK.
- ✨ Overview
- ⚙️ Tech Stack
- 🛡️ Security Architecture
- 🚀 Key Features
- 🔌 API Endpoints
- 🛠️ Setup & Installation
- 🔑 Environment Variables
The CityResolved Backend serves as the central logic hub for the application. It handles user authentication verification via Firebase Admin, manages Role-Based Access Control (RBAC) for Admins, Staff, and Citizens, and processes secure payments via Stripe. It connects to a MongoDB database to store issues, user profiles, and timeline logs.
| Component | Technology | Description |
|---|---|---|
| Runtime | JavaScript runtime environment. | |
| Framework | Minimalist web framework for API routing. | |
| Database | NoSQL database for flexible document storage. | |
| Auth | Server-side token verification & user management. | |
| Payments | Secure payment intent creation & processing. | |
| Security | JSON Web Tokens for session security. |
This API implements a Zero Trust security model for sensitive routes:
- JWT Verification Middleware (
verifyToken):
- Intercepts every request to protected routes.
- Validates the
Authorization: Bearer <token>header usingfirebase-admin. - Rejects requests with expired or manipulated tokens immediately (401 Unauthorized).
- Role-Based Access Control (RBAC):
- Admin Middleware (
verifyAdmin): Checks the database to ensure the requester has therole: 'admin'. Used for/usersand/statsendpoints. - Staff Middleware (
verifyStaff): Ensures the user hasrole: 'staff'before allowing status updates on issues.
- Secure Environment Variables:
- Database credentials and Stripe keys are accessed via
process.envand never exposed in the codebase.
- User Management: Create, Read, Update, and Delete (CRUD) operations for Users with role assignment.
- Issue Tracking: Complex aggregation pipelines to filter issues by status, priority, and assigned staff.
- Payment Integration: Generates
clientSecretfor Stripe Payment Intents to handle secure transactions on the client side. - Timeline Logging: Automatically creates a history log entry whenever an issue's status is changed or it receives a priority boost.
- Admin Analytics: Aggregates data from multiple collections to provide real-time statistics (Total Revenue, Issue Counts) for the dashboard.
| Method | Endpoint | Description | Access |
|---|---|---|---|
POST |
/users |
Create a new user (Google/Email login). | Public |
GET |
/users |
Get all users (filter by role). | Admin |
GET |
/users/:email |
Get single user details. | Private |
PATCH |
/users/status/:id |
Block/Unblock a user. | Admin |
POST |
/users/add-staff |
Create a staff account securely. | Admin |
| Method | Endpoint | Description | Access |
|---|---|---|---|
POST |
/issues |
Report a new issue. | Private |
GET |
/issues |
Get all issues (with pagination/search). | Public |
PATCH |
/issues/:id/assign |
Assign an issue to a staff member. | Admin |
PATCH |
/issues/status/:id |
Update issue status (e.g., Resolved). | Staff |
PATCH |
/issues/upvote/:id |
Upvote an issue. | Private |
| Method | Endpoint | Description | Access |
|---|---|---|---|
POST |
/create-payment-intent |
Generate Stripe client secret. | Private |
POST |
/payments |
Save payment record & boost issue/user. | Private |
GET |
/admin-stats |
Get aggregated system analytics. | Admin |
To run this server locally, follow these steps:
1. Clone the repository:
git clone https://github.com/S-Arafin/City-Resolved-Backend.git
cd City-Resolved-Backend
2. Install dependencies:
npm install
3. Configure Environment Variables:
Create a .env file in the root directory (see below).
4. Start the server:
# Production mode
npm start
# Development mode (with Nodemon)
npm run dev
Create a .env file in the root folder and add the following keys:
# Database Configuration
DB_USER=your_mongodb_username
DB_PASS=your_mongodb_password
# Authentication & Security
ACCESS_TOKEN_SECRET=your_random_jwt_secret_string
FB_SERVICE_KEY=your_base64_encoded_firebase_service_account
# Payment Gateway
STRIPE_SECRET_KEY=your_stripe_secret_key