MERN Stack: Developing the User Authentication Service Print

  • 0

User authentication is a fundamental component of web applications today. It offers the ability to recognize a user's identity and ensure only authenticated users can access certain resources. This article will walk you through the step-by-step process of developing a User Authentication service in the MERN stack (MongoDB, Express, React, and Node.js). This guide will include code examples and thorough explanations.

1. Introduction

MERN stack is a JavaScript stack that's designed to make the development process smoother. Comprised of MongoDB, Express.js, React, and Node.js, each of these four technologies plays a vital role:

  1. MongoDB: A document-oriented NoSQL database, used to store data as BSON (Binary JSON).
  2. Express.js: Fast, unopinionated, and minimalist web framework for Node.js, used to build web applications in Node.js.
  3. React: A JavaScript library for building user interfaces, particularly single-page applications.
  4. Node.js: A JavaScript runtime built on Chrome's V8 JavaScript engine. It is used to run JavaScript on a server.

In this tutorial, we'll use these technologies to build an User Authentication service.

2. Define Your Service's Functionalities

Before diving into the code, we must define the functionalities of our User Authentication service. A comprehensive service usually includes:

  1. User registration
  2. User login
  3. Password reset
  4. Session management
  5. User data retrieval and modification

By clearly defining these functionalities, we can ensure a smoother development process.

3. Choose Your Technology Stack

The MERN stack is a perfect choice for our service due to its scalability, versatility, and the extensive community support available for these technologies.

4. Design the Database Schema

The first practical step in developing our service is to design a schema for our database. We'll use MongoDB for this purpose. Here is an example of a User schema:

const mongoose = require('mongoose');
const bcrypt = require('bcryptjs');

const UserSchema = new mongoose.Schema({
email: {
type: String,
required: true,
unique: true
password: {
type: String,
required: true,
resetPasswordToken: String,
resetPasswordExpires: Date

UserSchema.pre('save', function(next) {
let user = this;

if (!user.isModified('password')) return next();

bcrypt.hash(user.password, 10, function(err, hash) {
if (err) return next(err);
user.password = hash;

module.exports = mongoose.model('User', UserSchema);

In this schema, we have fields for email, password, resetPasswordToken, and resetPasswordExpires. We also have a pre-save hook to hash our passwords using bcrypt before saving them in the database.

5. Implement the Service

With our database schema ready, let's start implementing our service's functionalities. We'll use Express.js to build our backend and handle HTTP requests and responses.

5.1 User Registration

For user registration, we need to validate user input data, hash the password, and store user data in the database. Here's how we can do that using Express.js:

const express = require('express');
const router = express.Router();
const User = require('../models/User');'/register', async (req, res) => {
const { email, password } = req.body;

// Validate user input
if (!email || !password) {
return res.status(400).json({ msg: 'All fields are required.' });

// Check if user already exists
let user = await User.findOne({ email });
if (user) {
return res.status(400).json({ msg: 'User already exists.' });

// Create new user
user = new User({ email, password });

// Save user

res.status(201).json({ msg: 'User registered successfully.' });

module.exports = router;

In this code, we create a POST route /register which validates user input, checks if the user already exists in the database, creates a new user if not, and finally saves the user to the database.

5.2 User Login

Next, let's implement the login functionality. We need to authenticate the user by checking their provided password against the stored hashed password, and if the password is correct, generate a session token for the user.

const jwt = require('jsonwebtoken');
const bcrypt = require('bcryptjs');'/login', async (req, res) => {
const { email, password } = req.body;

// Validate user input
if (!email || !password) {
return res.status(400).json({ msg: 'All fields are required.' });

// Check if user exists
const user = await User.findOne({ email });
if (!user) {
return res.status(400).json({ msg: 'User does not exist.' });

// Check password
const isMatch = await, user.password);
if (!isMatch) {
return res.status(400).json({ msg: 'Invalid credentials.' });

// Generate JWT
const token = jwt.sign({ id: user._id }, process.env.JWT_SECRET, { expiresIn: '1h' });

// Respond with token
res.json({ token });

module.exports = router;

In this code, we first validate the user input, check if the user exists, and verify the password using bcrypt's compare function. If all checks pass, we generate a JSON Web Token (JWT) using the user's id and send it back in the response.

5.3 Password Reset

For password reset functionality, we'll need to generate a password reset token, email it to the user, and allow the user to change their password using this token. Here is a simple implementation:

const crypto = require('crypto');
// Import nodemailer for sending email
const nodemailer = require('nodemailer');'/forgotPassword', async (req, res) => {
const { email } = req.body;
const user = await User.findOne({ email });

if (!user) {
return res.status(400).json({ msg: 'User does not exist.' });

// Generate password reset token
const resetToken = crypto.randomBytes(20).toString('hex');
user.resetPasswordToken = resetToken;
user.resetPasswordExpires = + 3600000; // Token expires after 1 hour


// Send token to user via email
const transporter = nodemailer.createTransport({
service: 'Gmail',
auth: {
user: process.env.EMAIL_USERNAME,
pass: process.env.EMAIL_PASSWORD,

const mailOptions = {
from: process.env.EMAIL_USERNAME,
subject: 'Password Reset Token',
text: `You are receiving this because you (or someone else) have requested the reset of the password for your account.
Please click on the following link, or paste this into your

browser to complete the process within one hour of receiving it:
If you did not request this, please ignore this email and your password will remain unchanged.\n`,

transporter.sendMail(mailOptions, (err) => {
if (err) return res.status(500).json({ msg: 'Error sending email.' });
res.json({ msg: 'Password reset token sent to email.' });

module.exports = router;

In this script, we first check if the user exists. If they do, we generate a random password reset token using the crypto module, and set an expiration time of 1 hour. Then, we send an email to the user with the token included in a URL, using the nodemailer package.

5.4 Session Management

For session management, we'll use JSON Web Tokens (JWTs). We already generated a JWT when the user logged in. Now, we need to verify this token whenever the user tries to access protected resources:

const jwt = require('jsonwebtoken');

function auth(req, res, next) {
const token = req.header('x-auth-token');

// Check if token is present
if (!token) {
return res.status(401).json({ msg: 'No token, authorization denied.' });

// Verify token
try {
const decoded = jwt.verify(token, process.env.JWT_SECRET);
req.user = decoded;
} catch (err) {
res.status(400).json({ msg: 'Token is not valid.' });

module.exports = auth;

In this code, we create a middleware function auth that checks if a JWT is present in the headers of incoming requests. If the token is valid, we attach the decoded token (which includes the user's id) to the request object and call next(), otherwise, we respond with a 400 status code.

5.5 User Data Management

Finally, let's implement user data retrieval and modification. Here's an example of how to retrieve user data based on the session token:

router.get('/user', auth, async (req, res) => {
const user = await User.findById('-password');

module.exports = router;

In this code, we create a GET route /user that uses the auth middleware to authenticate the user. Then, it retrieves the user's data from the database and sends it back in the response, excluding the password.

6. Test Your Service

Testing is a crucial part of any software development process. We need to test all our functionalities to ensure they work as expected. For this purpose, you can use various testing libraries and frameworks like Jest and Mocha.

Furthermore, consider performing load testing and security testing. Tools like Apache JMeter can be used for load testing, while OWASP ZAP can be used for security testing.

Keep in mind that developing a service is an iterative process. You should always be ready to go back, make modifications, and retest as necessary.

7. Conclusion

Congratulations! You have just developed a User Authentication service using the MERN stack. Remember that building such a service can be complex and challenging, but also rewarding. Always be sure to follow best practices, keep your code clean, and continuously test to build robust and secure applications.

Happy coding!

Was this answer helpful?

« Back