A secure and minimal REST API for a note-taking application, built with Node.js + TypeScript + Express.
Designed with validation, security, and clarity in mind.

• Node.js
• TypeScript
• Express
• Prisma ORM
• SQLite
• JWT (cookie-based auth)
• class-validator
• Helmet
• Express Rate Limit
• Swagger (OpenAPI)

Design principle:

Thin controllers, explicit middleware, predictable request lifecycle.

• JWT stored in HttpOnly cookies
• Access token validated via middleware
• Notes are strictly user-scoped
• Ownership enforced on update/delete

Refresh token logic is intentionally minimal and can be extended.

Available at:

http://localhost:3000/docs

Create a .env file:

PORT=5000
DATABASE_URL=file:./dev.db
ALLOWED_ORIGINS=
JWT_SECRET=
JWT_REFRESH_SECRET=
SALT_ROUND=10
COOKIE_MAX_AGE=900000
COOKIE_LONG_MAX_AGE=604800000

pnpm install
pnpm prisma migrate dev
pnpm dev

http://localhost:3000

Prisma ORM

SQLite database

User

Note

helmet for HTTP hardening

Rate limiting on API

CORS allowlist

Request body validation

HttpOnly cookies

x-powered-by disabled

Refresh token rotation not fully implemented.

No RBAC (single-user role).

No automated tests yet.

SQLite should be replaced with PostgreSQL in production.

Frontend client: https://github.com/mssoheil/quickNote-frontend